SecurityAlertOne

From StatusNet

Jump to: navigation, search


This is a SECURITY ALERT for Laconica sites. All Laconica sites should review the security alert to ensure that their site is not affected.

[edit] Security Alert 0000001

Users who register with OpenID will be given a blank password. Anyone can then login to the user's account with the blank password.

[edit] Versions affected

The bug does not affect sites that use any release versions of Laconica. Only sites that are tracking the darcs repository will see this bug.

[edit] Fix

A fix has been applied to the darcs repository. All sites should update their Laconica software to prevent abuse of this security bug.

Additionally, site owners should run the following SQL to eliminate the blank passwords: 

update user set password = NULL where password = md5(concat('', id));
Retrieved from "http://status.net/wiki/SecurityAlertOne"
Personal tools