Re: News page in the Wiki
On Sun November 9 2008, Chris Nolan wrote:
Till Maas wrote:
> With using the FAS credentials, that allow to produce major damage in the
> wrong hands, within an application that is considered not very secure
> make my security concerns grow a lot more. I know that they are already
> used for OpenID and Mediawiki in Fedora, so there are a lot of attack
> vectors there, but maybe RPMFusion could be more secure.
This is a fair concern - wordpress has a poor history. However, the
potential for an exploit being harmful would be minimal because WP would
never store the FAS password and a validated WP session has no control
over FAS. All authentication with FAS would be done over SSL: at no
point is the password sent over a non-encrypted connection and it is
never stored anywhere within wordpress or logged anywhere on the client
machine/within the session/on the wordpress server.
One pretty common vulnerability would be a cross site scripting, especiall a
persistent one, where all the described security measures would not help. An
attacker would simply modify the login prompt that is shown if someone opens
the wordpress homepage and instead of sending the credentials directly to
FAS, they are also sent to the attacker. Here SSL or not storing the
credentials on the worpress server would not help.
Regards,
Till
Attachments:
- signature.asc (application/pgp-signature — 827 bytes)