Rails - May 2005 - wiki is super insecure

hi all,

I just edited a page on the rails wiki, which is great, but it means 
that it''s totally open to attack by anyone who wants to write a (very 
simple) spamming script. It would be a _lot_ of work to revert the wiki 
to a good state if that happened.

Some sort of basic "are you human" visual collelates testing is 
necessary, or perhaps actual authentication.

I''d rather have the former - people who are going to the trouble of 
authing themselves as human manually will likely have good intentions.

_a


-- 
alex black, founder
the turing studio, inc.

510.666.0074
root-16h2cdTTKgpzNNFeSAH1EA@public.gmane.org
http://www.turingstudio.com

2600 10th street, suite 635
berkeley, ca 94710

I guess that you do have a point. It wouldn''t be too impossible to add
a "fill in these numbers into these fields to verify your
not-a-bot-ness" feature, seeing as most portal and forum software
these days seem to have them.

On 5/17/05, alex black <enigma-16h2cdTTKgpzNNFeSAH1EA@public.gmane.org>
wrote:
> hi all,
> 
> I just edited a page on the rails wiki, which is great, but it means
> that it''s totally open to attack by anyone who wants to write a
(very
> simple) spamming script. It would be a _lot_ of work to revert the wiki
> to a good state if that happened.
> 
> Some sort of basic "are you human" visual collelates testing is
> necessary, or perhaps actual authentication.
> 
> I''d rather have the former - people who are going to the trouble
of
> authing themselves as human manually will likely have good intentions.
> 
> _a
> 
> --
> alex black, founder
> the turing studio, inc.
> 
> 510.666.0074
> root-16h2cdTTKgpzNNFeSAH1EA@public.gmane.org
> http://www.turingstudio.com
> 
> 2600 10th street, suite 635
> berkeley, ca 94710
> 
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

On 5/17/05, JB Eriksson <mrkode-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I guess that you do have a point. It wouldn''t be too impossible to
add
> a "fill in these numbers into these fields to verify your
> not-a-bot-ness" feature, seeing as most portal and forum software
> these days seem to have them.
The wiki is powered by Instiki (http://instiki.org/show/HomePage), the
great great grandfather of rails.  It''s now a rails App.

I''m sure if you provided a patch to implement this kind of
functionality, it could be added to the rails wiki.

http://www.instiki.org/show/HowToContribute

Thankfully the wikispam and wiki vandals have mostly left us alone, so
I don''t really think it''s too urgent

-- 
Cheers

Koz

This is more of a problem on the Rails Trac. Just look at this patch:
http://dev.rubyonrails.com/ticket/1026

:(

Thomas


Am 17.05.2005 um 09:11 schrieb Michael Koziarski:
> On 5/17/05, JB Eriksson
<mrkode-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
>> I guess that you do have a point. It wouldn''t be too
impossible to
>> add
>> a "fill in these numbers into these fields to verify your
>> not-a-bot-ness" feature, seeing as most portal and forum software
>> these days seem to have them.
>>
>
> The wiki is powered by Instiki (http://instiki.org/show/HomePage), the
> great great grandfather of rails.  It''s now a rails App.
>
> I''m sure if you provided a patch to implement this kind of
> functionality, it could be added to the rails wiki.
>
> http://www.instiki.org/show/HowToContribute
>
> Thankfully the wikispam and wiki vandals have mostly left us alone, so
> I don''t really think it''s too urgent
>
> -- 
> Cheers
>
> Koz
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

Thomas Fuchs wrote:
> This is more of a problem on the Rails Trac. Just look at this patch:
> http://dev.rubyonrails.com/ticket/1026
> 
> :(
> 
> Thomas
> 
Yeah, those .java files aren''t too helpful for Rails patches =/

Speaking of trolls, the #rubyonrails channel on FreeNode was out of 
control on Saturday night. Some bored twit was taking over nicks (4 or 5 
at a time, including ''nextangle'' at one point) and posting
nearly
unintelligible Nazi ASCII art. No one had ops, but eventually someone 
managed to find levin from FreeNode and get him to kick him out.

Tangent #2: Has the ops / channel auth issue been worked out with David? 
He''s going to Brazil soon...

Finally, (since you pointed to the upload progress feature) are you and 
Sean playing with Lighty 1.4''s mod_uploadprogress? It looks quite 
promising. Too bad I can''t get the 1.4 trunk to compile on TxD.

Time for bed...

--Matt
> 
> Am 17.05.2005 um 09:11 schrieb Michael Koziarski:
> 
>> On 5/17/05, JB Eriksson
<mrkode-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>
>>> I guess that you do have a point. It wouldn''t be too
impossible to  add
>>> a "fill in these numbers into these fields to verify your
>>> not-a-bot-ness" feature, seeing as most portal and forum
software
>>> these days seem to have them.
>>>
>>
>> The wiki is powered by Instiki (http://instiki.org/show/HomePage), the
>> great great grandfather of rails.  It''s now a rails App.
>>
>> I''m sure if you provided a patch to implement this kind of
>> functionality, it could be added to the rails wiki.
>>
>> http://www.instiki.org/show/HowToContribute
>>
>> Thankfully the wikispam and wiki vandals have mostly left us alone, so
>> I don''t really think it''s too urgent
>>
>> -- 
>> Cheers
>>
>> Koz
>> _______________________________________________
>> Rails mailing list
>> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
>> http://lists.rubyonrails.org/mailman/listinfo/rails
>>
> 
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 
>

> Yeah, those .java files aren''t too helpful for Rails patches =/
:)
> Finally, (since you pointed to the upload progress feature) are you  
> and Sean playing with Lighty 1.4''s mod_uploadprogress? It looks  
> quite promising. Too bad I can''t get the 1.4 trunk to compile on
TxD.
No, not really. I personally use Apache2/mod_fastcgi. I had trouble  
with lighttpd''s file upload before, so i guess this has to wait until  
1.4 is out.
The architecture of our upload_progress patch should allow to  
(hopefully easily) query lighttpd''s mod_uploadprogress instead of our  
Ruby-based metering.

Thomas

This conversation reminded me of possibilities to set up some kind of 
google bomb for my site :)
Current Rails Wiki PageRank is about 4 so we can add something like
%{display: none;}"2012":http://nitrozen.com/articles/category/2012%
to any Wiki page and it will help my site in Google''s pagerank.
So, let''s do it ! :-)

Seriously, this Wiki engine should add rel="nofollow"  for external 
links, like
it''s done at Wikipedia (I tried to hack this one too but because of
this
rel="nofollow"
it didn''t worked :))) or add defined, visible style class for every 
external link. 

--
Best
Karol Hosiawa

On 5/17/05, Matt Pelletier
<pelletierm-A1PILTyJ15gXhy9q4Lf3Ug@public.gmane.org>
wrote:
> Thomas Fuchs wrote:
> > This is more of a problem on the Rails Trac. Just look at this patch:
> > http://dev.rubyonrails.com/ticket/1026
> >
> > :(
> >
> > Thomas
> >
> 
> Yeah, those .java files aren''t too helpful for Rails patches =/
> 
> Speaking of trolls, the #rubyonrails channel on FreeNode was out of
> control on Saturday night. Some bored twit was taking over nicks (4 or 5
> at a time, including ''nextangle'' at one point) and
posting nearly
> unintelligible Nazi ASCII art. No one had ops, but eventually someone
> managed to find levin from FreeNode and get him to kick him out.
No ops on there as I write this, either, nor #ruby-lang.  Having just
1 or 2 ops in these things can really be a problem.

Michael Campbell wrote:
> On 5/17/05, Matt Pelletier
<pelletierm-A1PILTyJ15gXhy9q4Lf3Ug@public.gmane.org> wrote:
> 
>>Thomas Fuchs wrote:
>>
>>>This is more of a problem on the Rails Trac. Just look at this
patch:
>>>http://dev.rubyonrails.com/ticket/1026
>>>
>>>:(
>>>
>>>Thomas
>>>
>>
>>Yeah, those .java files aren''t too helpful for Rails patches =/
>>
>>Speaking of trolls, the #rubyonrails channel on FreeNode was out of
>>control on Saturday night. Some bored twit was taking over nicks (4 or 5
>>at a time, including ''nextangle'' at one point) and
posting nearly
>>unintelligible Nazi ASCII art. No one had ops, but eventually someone
>>managed to find levin from FreeNode and get him to kick him out.
> 
> 
> No ops on there as I write this, either, nor #ruby-lang.  Having just
> 1 or 2 ops in these things can really be a problem.
The general consensus at the time immediately following the attack was 
that one or two of the regulars being given ops, esp. when David is not 
online, would not be a problem. There was plenty of discussion about the 
caveats of power trips and such, but I''ve not found that kind of 
''asshole-ism'' among the rails people, so it''s worth
the risk. There are
only so many regulars... and they''re all major contributors to rails,
so
if they turn on us, we can always mutiny. What certainly was widely 
dumped on during the discussion was auto-ops, so I doubt that''s going
to
happen.
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 
>

On Tue, 17 May 2005, Matt Pelletier wrote:
> The general consensus at the time immediately following the attack was 
> that one or two of the regulars being given ops, esp. when David is not
The whole thing could be solved with one ChanServ bot.  It''s a trivial 
problem - someone just needs to set it up.

--Steve

On May 17, 2005, at 12:30 AM, Thomas Fuchs wrote:
> This is more of a problem on the Rails Trac. Just look at this patch:
> http://dev.rubyonrails.com/ticket/1026
>
> :(
>
> Thomas

Those are pretty regular exploit attempts where people upload a .2  
or .3 file that is a PHP shell script. They''re several safeguards in  
against them but those guys in particular are focusing on wikis (most  
trac installs will have them show up at a point).

- Jason

> I''m sure if you provided a patch to implement this kind of
> functionality, it could be added to the rails wiki.
Heh - maybe so. Not at the moment, though - I''m busy enough deciding if
I''m going to switch to rails fully for all of my company''s
projects,
and contribute a buttload of code to the project.

My company''s contributions will likely be full packages integrated into
RoR that people can use on their sites, like DB and static content 
crawling + searching, full hierarchical RBAC, lotsa testing tools, 
probably a meta-form-def package on top of the FormHelper stuff... geh, 
the list is long :)
> Thankfully the wikispam and wiki vandals have mostly left us alone, so
> I don''t really think it''s too urgent
I do.

The first time you get attacked, whoever has to clean up that (ugly) 
mess will be PISSED. I have direct experience with this problem.

It''s why we put a password on the binarycloud wiki. I spent a whole 
late night fighting some script kiddie moron. It''s worth the 2 hours of
work, trust me :)

_a




-- 
alex black, founder
the turing studio, inc.

510.666.0074
root-16h2cdTTKgpzNNFeSAH1EA@public.gmane.org
http://www.turingstudio.com

2600 10th street, suite 635
berkeley, ca 94710