[Wikitech-l] [SECURITY] CentralAuth - Tokens & apioutput.js

Chad Fri, 20 Jan 2017 16:25:10 -0800

Hi,

This shouldn't affect very many installations as CentralAuth is very
WMF-specific but letting everyone know that a fix for CentralAuth has just
been released.


It allowed user impersonation by a combination of the apioutput.js (used
for api.php output customization) and the central auth cookie.

The bug is: https://phabricator.wikimedia.org/T144573
The gerrit change is: https://gerrit.wikimedia.org/r/#/c/333316/

-Chad
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

[Wikitech-l] [SECURITY] CentralAuth - Tokens & apioutput.js

Reply via email to