Aryeh Gregor wrote: > On Thu, Jul 23, 2009 at 1:37 PM, Tim Starling<tstarl...@wikimedia.org> wrote:
You know you could have changed that header to indicate who actually wrote it. It's not against the laws of the internet. >> To help in the "proving trustworthy, or else" process, I have released >> the source code of Watchlistr - please take a look at it. You will see >> that I take the utmost care in securing user information. The wiki >> logins are encrypted with AES in our database. The key used to encrypt >> each user's login list is their site username, which is stored as a >> SHA1 hash in our database. If a cracker were to, somehow, gain access >> to the database, they would be left with a pile of garbage. > > They would only have to get the site usernames to decrypt the login > info. They could get those the next time each user logs in, if > they're not detected immediately. There's no way around this; if your > program can log in as the users, so can an attacker who's able to > subvert your program. There's plenty of ways to attack watchlistr without fully compromising the server. There is no HTML escaping whatsoever, so the thing is full of XSS vulnerabilities. For the most part it's escaped for SQL on the input side, which is hard to verify and easy to mess up. Indeed I found a place where it was messed up, an SQL injection vulnerability. It appears to allow compromise of any user's wiki passwords. The AES encryption does not affect the viability of the attack, since you can use XSS to screen scrape the unhashed username. I contacted Cody about this privately and he confirmed that the scripts are offline and the user database has been deleted, so we're free to talk about it publicly. -- Tim Starling _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
