Can you provide any documentation on the details of this exploit? On Wed, Sep 30, 2015 at 12:50 PM, Daniel Friesen <dan...@nadir-seen-fire.com > wrote:
> Bug? There is nothing that can be fixed. > > You just have to accept that as long as the login page is on the same > domain as site scripts, there is no way to stop those scripts from > controlling the login page. > > ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] > > On 2015-09-30 9:33 AM, Tyler Romeo wrote: > > Is there a bug filed for that? > > On Sep 30, 2015 12:13, "Daniel Friesen" <dan...@nadir-seen-fire.com> > wrote: > > > >> On 2015-09-30 8:48 AM, Chris Steipp wrote: > >>> * We disable site and user .js on Special:UserLogin, so a malicious > admin > >>> can't add password sniffing javascript to the login page > >> Note that you can make use of pushState to render this protection moot > >> for anyone who clicks the login link instead of directly visiting > >> UserLogin page. Which is practically everyone. > >> > >> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] > >> > >> > >> _______________________________________________ > >> MediaWiki-l mailing list > >> To unsubscribe, go to: > >> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > >> > > _______________________________________________ > > MediaWiki-l mailing list > > To unsubscribe, go to: > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
