= phenomenon = Once you log into https://fedoraproject.org/wiki/ you are given a set of cookies that identifies you to the wiki. {{{fpo-mediawiki_en__session}}} is the session cookie. Because the domain of these cookies is set to fedoraproject.org, these cookies are sent to any server in the fedoraproject.org domain including publictest and dev which are less secured than the production and staging machines. That makes the wiki session cookies susceptible to sniffing and stealing by attackers who have gained access to one of our least secured hosts.
If an attacker gains a session cookie, they should have access to modify the fedoraproject.org wiki as that user. In most cases, this doesn't grant many more privileges than simply opening a fake account in FAS would do although it might be another layer of indirection. There are a few accounts where added permissions are gained. Compromising a packaging committee member's session cookie would get the ability to edit the packaging guidelines. spot's account would grant the ability to edit the Legal section of the wiki.
= Recomendation =
We need to decide if this is something we want to worry about and if so, how to solve it. Possible solutions if we do worry about it:
I have just tested this, and this is NOT the case. The cookie is set for 'fedoraproject.org', and not the wildcard version '.fedoraproject.org', which makes sure it is only sent to the root domain, and not to sub-domains.
Login to comment on this ticket.