Change Request -- mediawiki auth plugin

Toshio Kuratomi a.badger at gmail.com
Fri Jan 30 23:38:15 UTC 2009


Toshio Kuratomi wrote:
> The Mediawiki auth plugin has to contact admin.fedoraproject.org in
> order to lookup the users and verify their passwords.  It's using curl
> to do so.  One of the options being given to curl is the following:
> 
>   # This is only required because of the wildcard cert on pt10
>   curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
> 
> That turns off verifying the host via SSL.  From the comment it appears
> to only be needed with the test FAS server.  I'd like to comment this
> line out.
> 
> This is a flaw that potentially opens us to a DNS spoofing attack to
> compromise authentication.  Luckily for us, there is a problem with
> routing to admin.fedoraproject.org within PHX so we have an /etc/hosts
> entry for admin.fp.o that directs the wiki to use an internal IP
> address.  That means for this flaw to affect us, someone would have to
> compromise the /etc/hosts files rather than a DNS server.  So we should
> fix this but compromising it is not as easy.
> 
> If this fails, we will see authentication failures when we try to login
> to the wiki and can revert.
> 
After looking at this a little more with G, there's two settings to toggle:

CURLOPT_SSL_VERIFYPEER
CURLOPT_SSL_VERIFYHOST

They're both set to off right now and I'd like to turn them both back
on.  Tested with a small php script that turning them on doesn't
interfere with retrieving data.

> Can I get a couple +1's?

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20090130/f54b198e/attachment.sig>


More information about the Fedora-infrastructure-list mailing list