On 2016-02-12 17:09:12 +0000 (+0000), Jeremy Stanley wrote: > Wow! That's interesting. I wonder if there's an auth hole in the > mobile browser support in Mediawiki? If you try to log in with a > normal browser it sends you to login.launchpad.net to do OpenID > authentication.
It does indeed look like Mediawiki "Mobile View" uses standard password authentication and not the OpenID authentication we force for the normal "Desktop View." The account creation process for it at <URL: https://wiki.openstack.org/w/index.php?title=Special:UserLogin&type=signup&returnto=Main+Page&returntoquery=campaign%3DleftNavSignup > prompts for a "secret word" so if that's something default/discoverable/guessable then I suppose this is a trivial bypass of our OpenID restriction. Anybody happen to be familiar with this? I'm inclined to figure out how to disable the mobile view until someone has time to research and fix it to use OpenID exclusively. -- Jeremy Stanley _______________________________________________ OpenStack-Infra mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
