On Sun, Sep 18, 2011 at 7:07 PM, bawolff <[email protected]> wrote: > Anthony wrote: >> It does not involve generating hash collisions, but it involves >> finding various bugs in mediawiki and using them to vandalise, often >> by injecting javascript. The best description I could find was at >> Encyclopedia Dramatica, which seems to be taken down (there's a cache >> if you do a google search for "grawp wikipedia"). There's also a >> description at http://en.wikipedia.org/wiki/User:Grawp , which does >> not do justice to the "mad hacker skillz" of this individual and his >> intent on finding bugs in mediawiki and exploiting them. >> > > Say what? Being able to inject js is a very serious vulnerability. If > he's doing this, why haven't I seen any security releases triggered by > a vandal finding an XSS? has no one reported it?
I have no idea. How long have you been reading the release notes? This was a few years ago that this happened to me, and the software I was using was probably a year or two old. I didn't investigate into the details of the bug. I didn't have the time to do that, which is why I just took the site down rather than bother. > The pages you link to seem to indicate he's nothing more than a > willy-on-wheels type vandal, who at worst tricked an admin into doing > a delete of a page with a very high number of revisions making the > server kittens cry for a moment. There's no indication he has "mad > hacker skillz" in any way or form (and given the tone of that > Encyclopedia Dramatica page, I assume they'd be bragging about it if > he did). As I said, I couldn't find a page which described it in detail. Maybe if you look at archive.org? _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
