The Mediawiki auth plugin has to contact admin.fedoraproject.org in order to lookup the users and verify their passwords. It's using curl to do so. One of the options being given to curl is the following: # This is only required because of the wildcard cert on pt10 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); That turns off verifying the host via SSL. From the comment it appears to only be needed with the test FAS server. I'd like to comment this line out. This is a flaw that potentially opens us to a DNS spoofing attack to compromise authentication. Luckily for us, there is a problem with routing to admin.fedoraproject.org within PHX so we have an /etc/hosts entry for admin.fp.o that directs the wiki to use an internal IP address. That means for this flaw to affect us, someone would have to compromise the /etc/hosts files rather than a DNS server. So we should fix this but compromising it is not as easy. If this fails, we will see authentication failures when we try to login to the wiki and can revert. Can I get a couple +1's? -Toshio
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
