Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 19 Feb 2008 17:30:22 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: wiki - e-mail address obfuscation

I wrote:
> ... it only
> obfuscates e-mail addresses it recognizes - not anything with an @-sign.
> So we need to be very careful about this - e-mail addresses must be
> entered as <user@...mple.org> - with the angle brackets.

Of course, folks will often be entering e-mail addresses without
the angle brackets, at least initially - and that's enough for the
spammers because old revisions of wiki pages are available.  I've
fixed a few of these right in the underlying files (for the old
revisions), but I'm afraid I'll give up now.

> I just found another issue: it is possible to "show differences to
> current version" without being logged in - and, of course, original
> (non-obfuscated) e-mail addresses are seen in these source diffs.
> 
> Unless we come up with a way to address that (e.g., somehow disable this
> feature for anonymous visitors), I'm afraid that we'll have to obfuscate
> addresses manually prior to entering them into the wiki...

With many contributors to the wiki (which is great!), I'm afraid that we
won't be able to "enforce manual obfuscation" either.

So I think that we need to enhance DokuWiki ourselves or request the
enhancement from upstream - and do it urgently.  Specifically, we need
two things:

1. DokuWiki should optionally detect e-mail addresses that are not in
angle brackets, and obfuscate those as well.  Alternatively, it should
replace all @-signs.

2. DokuWiki should optionally restrict the "show differences to current
version" feature to logged in users (or even to certain groups).
Alternatively, it should obfuscate e-mail addresses (or replace @-signs)
even in the diffs.

Dmitry (Galaxy) - will you be able to take care of discussing this with
upstream - and maybe developing, contributing, and applying a patch (to
our install)?  Any other volunteers?

Thanks in advance,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.