News page in the Wiki
Till Maas
opensource at till.name
Sun Nov 9 23:41:22 CET 2008
On Sun November 9 2008, Chris Nolan wrote:
> Till Maas wrote:
> > With using the FAS credentials, that allow to produce major damage in the
> > wrong hands, within an application that is considered not very secure
> > make my security concerns grow a lot more. I know that they are already
> > used for OpenID and Mediawiki in Fedora, so there are a lot of attack
> > vectors there, but maybe RPMFusion could be more secure.
>
> This is a fair concern - wordpress has a poor history. However, the
> potential for an exploit being harmful would be minimal because WP would
> never store the FAS password and a validated WP session has no control
> over FAS. All authentication with FAS would be done over SSL: at no
> point is the password sent over a non-encrypted connection and it is
> never stored anywhere within wordpress or logged anywhere on the client
> machine/within the session/on the wordpress server.
One pretty common vulnerability would be a cross site scripting, especiall a
persistent one, where all the described security measures would not help. An
attacker would simply modify the login prompt that is shown if someone opens
the wordpress homepage and instead of sending the credentials directly to
FAS, they are also sent to the attacker. Here SSL or not storing the
credentials on the worpress server would not help.
Regards,
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
Url : http://lists.rpmfusion.org/pipermail/rpmfusion-developers/attachments/20081109/79816f9d/attachment.bin
More information about the rpmfusion-developers
mailing list