As an alternative, please send details of the exploit to the security list, or just file a security bug. On Sep 30, 2015 13:03, "John" <[email protected]> wrote:
> Can you provide any documentation on the details of this exploit? > > On Wed, Sep 30, 2015 at 12:50 PM, Daniel Friesen < > [email protected] > > wrote: > > > Bug? There is nothing that can be fixed. > > > > You just have to accept that as long as the login page is on the same > > domain as site scripts, there is no way to stop those scripts from > > controlling the login page. > > > > ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] > > > > On 2015-09-30 9:33 AM, Tyler Romeo wrote: > > > Is there a bug filed for that? > > > On Sep 30, 2015 12:13, "Daniel Friesen" <[email protected]> > > wrote: > > > > > >> On 2015-09-30 8:48 AM, Chris Steipp wrote: > > >>> * We disable site and user .js on Special:UserLogin, so a malicious > > admin > > >>> can't add password sniffing javascript to the login page > > >> Note that you can make use of pushState to render this protection moot > > >> for anyone who clicks the login link instead of directly visiting > > >> UserLogin page. Which is practically everyone. > > >> > > >> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [ > http://danielfriesen.name/] > > >> > > >> > > >> _______________________________________________ > > >> MediaWiki-l mailing list > > >> To unsubscribe, go to: > > >> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > >> > > > _______________________________________________ > > > MediaWiki-l mailing list > > > To unsubscribe, go to: > > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > > > > _______________________________________________ > > MediaWiki-l mailing list > > To unsubscribe, go to: > > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > > > _______________________________________________ > MediaWiki-l mailing list > To unsubscribe, go to: > https://lists.wikimedia.org/mailman/listinfo/mediawiki-l > _______________________________________________ MediaWiki-l mailing list To unsubscribe, go to: https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
