FreeBSD wiki offline for a bit

Simon L. B. Nielsen simon at FreeBSD.org
Sun Jan 6 20:40:53 UTC 2013


Hey,

tl;dr Wiki is back, and everybody with account need to reset their password.

On 4 January 2013 22:38, Simon L. B. Nielsen <simon at freebsd.org> wrote:
> Due to a security issue in the moinmoin wiki software, the FreeBSD
> wiki will be offline for a bit. I do not yet know if the issue
> actually has been exploited in the FreeBSD wiki (haven't had the time
> yet to examine it), but I took the wiki down just in case.
>
> Note that even if the software was compromised, it was considered
> untrusted from the start and as such heavily sandboxed (including
> jailed) to keep it away from any sensitive FreeBSD.org parts, so there
> is absolutely no reason to believe a compromise would go any further
> than the wiki itself.
>
> I hope to have the wiki back within 24 hours, assuming not too much
> gets in the way.
>
> For further reference see: http://moinmo.in/SecurityFixes and
> http://permalink.gmane.org/gmane.linux.debian.devel.announce/1754 .
>
> PS. this is entirely unrelated to the 2012 November FreeBSD.org compromise.

The wiki is back now.

Looking at logs it there were people attempting to exploit this back
in July but I do not think they actually succeeded. It seemed to
mostly automated bot and not a target attempt.

The wiki has been reinstalled from scratch and users and pages were
copied. As I did a very selective copy it's entirely possible I made
the wiki unhappy, so let me know if you see issues.

Just to be extra safe I have reset all password, so everybody will
need need to use the standard account recovery process to set a new
password.

On a side note we have ~23000 user accounts and had 26000 empty pages
mostly caused by spammers, so someone(tm) will likely need to find a
way to change how we handle wiki user accounts to fix this.

PS. only reason I could see that they tried back in July was that I
found out I had forgotten to set up log rotation, so the wiki logfile
was over 3GB :-). (It was the internal log file which doesn't contain
user IP's so privacy part isn't really an issue.)

-- 
Simon L. B. Nielsen
Hat: clusteradm


More information about the freebsd-ports mailing list