Brion Vibber <brion(a)pobox.com> writes:
Last night someone hacked the password of one of the
French Wikipedia
sysops, Youssefsan. (Using IP 217.144.0.5, possibly a proxy?)
Seems to be a jordanian IP-range:
Process query: '217.144.0.5'
Query recognized as IP.
Querying whois.ripe.net:43 with whois.
% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See
http://www.ripe.net/ripencc/pub-services/db/copyright.html
inetnum: 217.144.0.0 - 217.144.6.255
netname: NEXTJO
descr: Network Exchange Technology
descr: Farah Trading & Contracting Co.
descr: P.O.Box 510449, Amman 11151 Jordan
country: JO
admin-c: MF13297-RIPE
tech-c: MF16025-RIPE
status: ASSIGNED PA
notify: mohammad_farraj(a)hotmail.com
mnt-by: RIPE-NCC-NONE-MNT
changed: mohammad_farraj(a)hotmail.com 20021120
source: RIPE
I've changed the sysop's SQL query to use a
separate mysql user account
which has read-only access and isn't allowed to read the email and
password fields of the user table, which should close the 'malicious
sysop' hole. (However, developers still have full access.)
fine :-) However, the general problem of stored passwords remains. It
would be inconvenient for sysops but maybe better in regard to security to
generally prohibit storing sysop and developer passwords in permanent
cookies and maybe force a password change from time to time.
greetings,
elian