Author: ral315
Description:
When logged in as a sysop, one can create a user account for other users,
sending a password to the user via e-mail. In 1.8.2 and before, this password
was randomly generated; however, simply logging in with nothing in the password
field is successful.
Even after logging in, both the password and a blank entry work interchangeably,
until the user changes it via Special:Preferences (in which case, only the new
password works). Even if the user logs in with the password they received via
e-mail, another user could log in later with a blank password field.
This bug has been confirmed by me in 1.8.2 and 1.7.1; a user on IRC confirms
this on 1.6.8 (the current release for PHP4 users). This doesn't work on the
English Wikipedia because the e-mail password feature requires the sysop to
enter a password for the new user. Given the extensions and changes present on
Wikipedia, I'm not sure if a vanilla svn release would be affected or not.
Version: 1.8.x
Severity: critical
Platform: PC