Re: [Wikitech-l] Extension:OpenID 3.00 - Security Release
On Mon, Jun 3, 2013 at 11:52 AM, Yuvi Panda wrote: > On Tue, Jun 4, 2013 at 12:13 AM, Chris Steipp wrote: >> For OpenID, the plan coming out of the meetings is: >> * As part of the current Auth Sprint, I'll be doing a full review of >> OpenID with the goal of getting it deployed on the WMF cluster > > Wonderful! Can you tell me the timeline of 'current auth sprint'? We are trying to finish the items in scope (SUL rework, OAuth, and a review of the OpenID extension) by the end of this month. >> * We are planning to make login.wikimedai.org an OpenID provider to >> other WMF projects at some point in the near future > > Super-wonderful :) Again, a rough timeline? > > Looking forward to being able to use My Wikimedia Identity elsewhere :) > > > -- > Yuvi Panda T > http://yuvi.in/blog ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Extension:OpenID 3.00 - Security Release
On Tue, Jun 4, 2013 at 12:13 AM, Chris Steipp wrote: > For OpenID, the plan coming out of the meetings is: > * As part of the current Auth Sprint, I'll be doing a full review of > OpenID with the goal of getting it deployed on the WMF cluster Wonderful! Can you tell me the timeline of 'current auth sprint'? > * We are planning to make login.wikimedai.org an OpenID provider to > other WMF projects at some point in the near future Super-wonderful :) Again, a rough timeline? Looking forward to being able to use My Wikimedia Identity elsewhere :) -- Yuvi Panda T http://yuvi.in/blog ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Extension:OpenID 3.00 - Security Release
On Sun, Jun 2, 2013 at 11:30 AM, Yuvi Panda wrote: > On Sat, Mar 9, 2013 at 3:49 AM, Ryan Lane wrote: >> On wikitech the blockers were the switch of the wiki name (from labsconsole >> to wikitech) and this. There's still some issues that need to be worked out >> for deployment on the main projects. Also, it needs a full review before >> deployment to the projects, and we need to work out how this will affect the >> OAuth plans. We have a kickoff meeting for this coming up soon. I'll send >> updates when that occurs. > > Did anything come out of the Kickoff Meeting? For OpenID, the plan coming out of the meetings is: * As part of the current Auth Sprint, I'll be doing a full review of OpenID with the goal of getting it deployed on the WMF cluster * We are planning to make login.wikimedai.org an OpenID provider to other WMF projects at some point in the near future If you have any specific questions, feel free to ping me on or off list. ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Extension:OpenID 3.00 - Security Release
On Sat, Mar 9, 2013 at 3:49 AM, Ryan Lane wrote: > On wikitech the blockers were the switch of the wiki name (from labsconsole > to wikitech) and this. There's still some issues that need to be worked out > for deployment on the main projects. Also, it needs a full review before > deployment to the projects, and we need to work out how this will affect the > OAuth plans. We have a kickoff meeting for this coming up soon. I'll send > updates when that occurs. Did anything come out of the Kickoff Meeting? -- Yuvi Panda T http://yuvi.in/blog ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Extension:OpenID 3.00 - Security Release
On Fri, Mar 8, 2013 at 1:07 AM, Yuvi Panda wrote: > Was this the last blocker to getting the extension deployed? > On wikitech the blockers were the switch of the wiki name (from labsconsole to wikitech) and this. There's still some issues that need to be worked out for deployment on the main projects. Also, it needs a full review before deployment to the projects, and we need to work out how this will affect the OAuth plans. We have a kickoff meeting for this coming up soon. I'll send updates when that occurs. For deployment on wikitech I think I'd like to wait for a full security review, so it may be a little while. - Ryan ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Extension:OpenID 3.00 - Security Release
On 03/08/2013 01:34 AM, Petr Bena wrote: this shouldn't be very dangerous Even if it isn't in practice in the typical cases, it exposes a third party to a risk they are unable to assess if they use that OpenID. (And it doesn't require a 'crat going rogue even here -- renames are sometimes done without salting the former username and an unrelated third party could create an account to reuse the username and then probe plausible consumers of the ID). -- Marc ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Extension:OpenID 3.00 - Security Release
Am 08.03.2013 10:07, schrieb Yuvi Panda: > Was this the last blocker to getting the extension deployed? > One, two or three further non-sec-related patches will follow in the next days which improve the user GUI, especially the preference tab for OpenID. stay tuned... Regards, Tom signature.asc Description: OpenPGP digital signature ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Extension:OpenID 3.00 - Security Release
Was this the last blocker to getting the extension deployed? ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Re: [Wikitech-l] Extension:OpenID 3.00 - Security Release
This is indeed a problem but given that rename permissions are granted by default to bureaucrats who are most trusted users, and on small wikis typically sysadmins with shell access, this shouldn't be very dangerous. Sysadmin with shell access will be able to steal your identity anyway. It's a problem in case of large wikis like these on wmf On Fri, Mar 8, 2013 at 2:19 AM, Ryan Lane wrote: > *Marc-Andre Pelletier discovered a vulnerability in the MediaWiki OpenID > extension for the case that MediaWiki is used as a “provider” and the wiki > allows renaming of users. > > All previous versions of the OpenID extension used user-page URLs as > identity URLs. On wikis that use the OpenID extension as “provider” and > allows user renames, an attacker with rename privileges could rename a user > and could then create an account with the same name as the victim. This > would have allowed the attacker to steal the victim’s OpenID identity. > > Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/ > as the user’s identity URL, being the immutable MediaWiki-internal > userid of the user. The user’s old identity URL, based on the user’s > user-page URL, will no longer be valid. > > The user’s user page can still be used as OpenID identity URL, but will > delegate to the special page. > > This is a breaking change, as it changes all user identity URLs. Providers > are urged to upgrade and notify users, or to disable user renaming. > > Respectfully, > > Ryan Lane > > https://gerrit.wikimedia.org/r/#/c/52722 > Commit: f4abe8649c6c37074b5091748d9e2d6e9ed452f2* > ___ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
[Wikitech-l] Extension:OpenID 3.00 - Security Release
*Marc-Andre Pelletier discovered a vulnerability in the MediaWiki OpenID extension for the case that MediaWiki is used as a “provider” and the wiki allows renaming of users. All previous versions of the OpenID extension used user-page URLs as identity URLs. On wikis that use the OpenID extension as “provider” and allows user renames, an attacker with rename privileges could rename a user and could then create an account with the same name as the victim. This would have allowed the attacker to steal the victim’s OpenID identity. Version 3.00 fixes the vulnerability by using Special:OpenIDIdentifier/ as the user’s identity URL, being the immutable MediaWiki-internal userid of the user. The user’s old identity URL, based on the user’s user-page URL, will no longer be valid. The user’s user page can still be used as OpenID identity URL, but will delegate to the special page. This is a breaking change, as it changes all user identity URLs. Providers are urged to upgrade and notify users, or to disable user renaming. Respectfully, Ryan Lane https://gerrit.wikimedia.org/r/#/c/52722 Commit: f4abe8649c6c37074b5091748d9e2d6e9ed452f2* ___ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l