Le 26/06/2014 17:03, Andre Klapper a écrit : > I have seen several 'bug reports' in Mozilla Bugzilla by 'security > researchers' about source code of projects being exposed on Mozilla's > servers. Clearly a security breach. What does "FOSS" stand for? > > So it boils down to "how to keep clueless people out", to be rough.
Eons ago, we had a couple security experts that paid us a visit to the then very young #mediawiki . They were willing to help us by auditing the code security and already found a pretty nasty bug that could be a vector of attacks for other website. It was possible to inject in an uploaded image any arbitrary code such as javascript (enclosed in <script>) then embed that image on another site and point a victim at it. Damn. Wikipedia, a few years old, has been a serious threat to the internet. We were shocked and took the matter very "seriously". Then it was either Brion or Tim that showed up and wrote something like: Your attack vector is too complicated. Just paste the JavaScript to any page by pressing [edit]. Two security experts promptly disappeared. -- Antoine "hashar" Musso _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
