https://bugzilla.novell.com/show_bug.cgi?id=342605 Summary: Links to YMP files (1-click install) shouldn't be freely editable by everybody Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Critical Priority: P5 - None Component: wiki AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: bugreports@tittel.net QAContact: adrian@novell.com Found By: --- Since openSUSE 10.3, the wiki contains a lot of links to YMP files for 1-click installation. These links can be edited by anybody with a freshly created Novell account. So for example on http://en.opensuse.org/NVIDIA, somebody could simple change the 1-click installation link from http://opensuse-community.org/nvidia.ymp to http://opensuse-trojan.org/trojan.ymp, with trojan.ymp being a YMP that pulls in malicious software. This is dangerous for three reasons: 1) Even now the YMP files are not always hosted on opensuse.org, so even if the user checks the status line of his browser when clicking on the "1-click installation" link (and quite frankly, most won't), they will not see anything wrong with it, as long as the URL sounds nice (the malicious YMP could just be hosted on a domain like opensuse-ymp-packages.org or something). 2) The OpenPGP keys for most repositories are not shipped with openSUSE 10.3. This means the user will be asked to accept the key of the repository no matter if it is the real repository or a malicious repository. 3) To the user the wiki seems like an official SUSE site and it is very often referenced when users seek help with a certain topic. This means, lots of users will hit wiki pages and use 1-click install links from the wiki without much critical thinking. Quite frankly, I don't see what would prevent an attacker from just editing a wiki page and changing 1-click install links to point to his malicious YMPs and compromise lots of computers in no time, because the average user has little to no chance to see that something is wrong with the YMPs. Of course, sooner or later somebody will notice it and revert the wiki changes, but there is no way to tell how soon that will happen and how many PCs will have become compromised by then. This is why I think that this should really be addressed. An easy solution could be to move all YMP files to opensuse.org and only allow 1-click installation links to point to URLs on opensuse.org. But I am not an expert on legal matters (can the YMPs be moved to an official openSUSE server?) or the Wiki. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.