2008-04-07

"Hacking" MediaWiki PasswordProtected extension

I say "Hacking" because this is so retarded that I can't even believe it.

A group I'm working with (not directly related to HiR Information Report) is thinking of setting up a Wiki on the network for internal collaboration as well as communication of policies and contact information to other groups within the organization. They want some stuff (for instance, step-by-step audit documentation) to be shielded from view. This isn't Internet-facing, but it's stuff that no one else really needs to know. With that, they had the sysadmins install MediaWiki installed with the PasswordProtected extension.

Usage is simple. You use a "password" tag object around the text of the password you want to use.

Bypassing it is even simpler. Just look at the page history of the password protected page. There, in plain text, lies the password for all to see. See, I told you I couldn't justify saying "hacking" without putting quotes around it. I've been unable to get in touch with the maintainer of this extension.

Consider me disgusted. If you use this extension, quit fooling yourself. I guess it's back to the drawing board for my friends, though.

blog comments powered by Disqus