wiki.documentfoundation.org

Qian Hong <fracting -AT- gmail.com>
Fri, 17 Aug 2012 07:18:32 +0800

Hello,

Sorry for duplicating my post here.
I think it is related to security, so it worth to let people know as
soon as possible, please forgive me for my double post.
I asked on libreoffice-user irc by got no replay, so I post here.
Thanks for any help!

Here is my original post to design@global.libreoffice.org:

===
Hello,

Sorry to post a off-topic question here, but I think it worth to do it.
Please forgive me if I made any stupid mistake.

Half an hour ago I try to register a new account on
https://wiki.documentfoundation.org , below is what happens:

1.
I opened https://wiki.documentfoundation.org with chromium
(18.0.1025.168  Ubuntu 11.10)
Chromium' url bar told me:
" https://wiki.documentfoundation.org is verified by StartCom Class 2
Primary Intermediate Server CA "
and showed a green lock at the left of the url bar.

2.
Then I opened 
https://wiki.documentfoundation.org/index.php?title=Special:UserLogin&action=submitlogin&type=signup
The green lock changed with a red "X", and chromium told me:
"However, this page includes other resources which are not secure."

3.
I didn't care about the warning to much, just type username, password and so on.

4.
Finally I clicked on the "Submit" button, however, nothing happens.
I thought it was a temporary network connection issue, so I clicked
the "Submit" button again and again.
However, nothing happen still.

5.
I open the developer's tool of Chromium, looking at the console, and
found the below errors:
--- snip ---
Failed to load resource
https://challenge.asirra.com/cgi/Asirra?action=ScoreResponse&sessionId=undefined&response=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined&rand=0.827300843084231
https://challenge.asirra.com/images/border5.gifFailed to load resource
https://challenge.asirra.com/images/hip_help.gifFailed to load resource
https://challenge.asirra.com/images/hip_reload.gifFailed to load resource
--- snip ---

6.
I directly open https://challenge.asirra.com , then it jump to:
http://research.microsoft.com/en-us/um/redmond/projects/asirra/

So I guess there is a  man-in-the-middle attacking!!!

Here is some other information:
$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 8.8.8.8
nameserver 4.2.2.1

$ mtr 8.8.8.8
eys:  Help   Display mode   Restart statistics   Order of fields   quit
                                       Packets               Pings
 Host                                Loss%   Snt   Last   Avg  Best  Wrst StDev
 1. 180.88.16.1                      11.1%     9    3.5   4.8   2.3  17.2   5.0
 2. 180.88.16.1                      11.1%     9   12.5   5.1   2.7  12.5   3.6
 3. ???
 4. 172.16.253.190                    0.0%     8    2.2   4.1   2.2   9.1   2.4
 5. 172.16.253.174                    0.0%     8    2.5   3.9   2.5   5.6   1.2
 6. ???
(there is no more routers showed)

The html source saved from libreoffice new account page:
http://paste.ubuntu.com/1151609/

Javascript source code from http://challenge.asirra.com/js/AsirraClientSide.js
http://paste.ubuntu.com/1151612/
( http://challenge.asirra.com/js/AsirraClientSide.js is found from
https://wiki.documentfoundation.org/index.php?title=Special:UserLogin&action=submitlogin&type=signup
)

Content of 
https://challenge.asirra.com/cgi/Asirra?action=ScoreResponse&sessionId=undefined&response=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined&rand=0.827300843084231
(Got this URL from the console output regarding "Failed to load
resource" in step 5)
http://paste.ubuntu.com/1151615/


The above are what I know at this time, I'm not very sure happens.

I need your helps:
1. Could someone confirm whether the register new account page of
libreoffice wiki work for you?
2. Could someone help to figure out if the libreoffice website itself
is attacked, or if I got attached?

I just want to create a new account and add some fonts to the font
wish list, so sadly can't create an account at all...

Thanks in advance!

===

-- 
Regards,
Qian Hong

-
Sent from Ubuntu
http://www.ubuntu.com/

-- 
Unsubscribe instructions: E-mail to website+help@global.libreoffice.org
Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/
Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette
List archive: http://listarchives.libreoffice.org/global/website/
All messages sent to this list will be publicly archived and cannot be deleted

Context

[libreoffice-website] Register new account doesn't work at https://wiki.documentfoundation.org · Qian Hong
- [libreoffice-website] Re: Register new account doesn't work at https://wiki.documentfoundation.org · Qian Hong

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.