On Mittwoch, 8. Juli 2009, Sergey Chernyshev wrote: > This shows that it's good that you disclosed it because who knows, maybe > your ACL cache can be circumvented in some other way, not only by using > template ;)
It is also good because it shows that other attacks have still some hope to succeed. I have some ideas there ... ;-) (but time is short; maybe I try this later) -- Markus > > Sergey > > > On Wed, Jul 8, 2009 at 3:55 AM, Thomas Schweitzer > > <[email protected]>wrote: > > Lane, Ryan schrieb: > > >> And by the way: Congratulations to David MacDonald. He found > > >> the first > > >> bug and was able to read "ProtectedArticle". It is already > > >> fixed and I > > >> won't tell how he did it :-) > > > > > > Wouldn't it be better for everyone to know how he did it so that we can > > > check similar methods? > > > > > > Hiding bugs doesn't really help security. > > > > > > V/r, > > > > > > Ryan Lane > > > > Hi Ryan, > > > > in general, you are right. But this was a weird bug that, as it is fixed > > now, does not help finding other bugs. > > But anyway, this is how Dave did it: > > He created an article in which he wanted to transclude > > "ProtectedArticle". But instead of writing {{:ProtectedArticle}} he > > wrote {{ProtectedArticle}} and saved his article. Effectively, the > > article contained an unknown template (Template:ProtectedArticle) which > > was checked for access restrictions. As it has none, access was granted > > and my ACL-cache contained a positive value for "ProtectedArticle". Now > > Dave corrected the content of his article to {{:ProtectedArticle}} and > > saved again. My ACL-cache still said "ProtectedArticle" is fine and so > > it was finally completely transcluded. The bug was, that the ACL-cache > > did not contain the full name of the protected object. > > "ProtectedArticle" and "Template:ProtectedArticle" were the same for the > > cache. > > > > Best > > Thomas > > > > > > > > -- > > Thomas Schweitzer > > Professional Services > > ontoprise GmbH - know how to use Know-how > > --- > > ontoprise ist Generalunternehmer für Vulcans Semantic Wiki im Projekt > > Halo http://www.ontoprise.de/ > > --- > > Amalienbadstraße 36 (Raumfabrik 29); 76227 Karlsruhe > > Tel.: +49 (0) 721 509 809 39; Fax: +49 (0) 721 509 809 11 > > eMail: [email protected]; www: http://www.ontoprise.de > > Sitz der Gesellschaft: Amtsgericht Mannheim, HRB 9540 > > Geschäftsführer: Prof. Dr. Jürgen Angele, Dipl.Wi.-Ing. Hans-Peter > > Schnurr > > > > > > > > ------------------------------------------------------------------------- > >----- Enter the BlackBerry Developer Challenge > > This is your chance to win up to $100,000 in prizes! For a limited time, > > vendors submitting new applications to BlackBerry App World(TM) will have > > the opportunity to enter the BlackBerry Developer Challenge. See full > > prize details at: http://p.sf.net/sfu/Challenge > > _______________________________________________ > > Semediawiki-devel mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/semediawiki-devel -- Markus Krötzsch Semantic MediaWiki http://semantic-mediawiki.org http://korrekt.org [email protected] ------------------------------------------------------------------------------ Enter the BlackBerry Developer Challenge This is your chance to win up to $100,000 in prizes! For a limited time, vendors submitting new applications to BlackBerry App World(TM) will have the opportunity to enter the BlackBerry Developer Challenge. See full prize details at: http://p.sf.net/sfu/Challenge _______________________________________________ Semediawiki-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/semediawiki-devel
