Page MenuHomePhabricator

Creating a user account via e-mail allows logging in with blank password
Closed, ResolvedPublic


Author: ral315

When logged in as a sysop, one can create a user account for other users,
sending a password to the user via e-mail. In 1.8.2 and before, this password
was randomly generated; however, simply logging in with nothing in the password
field is successful.

Even after logging in, both the password and a blank entry work interchangeably,
until the user changes it via Special:Preferences (in which case, only the new
password works). Even if the user logs in with the password they received via
e-mail, another user could log in later with a blank password field.

This bug has been confirmed by me in 1.8.2 and 1.7.1; a user on IRC confirms
this on 1.6.8 (the current release for PHP4 users). This doesn't work on the
English Wikipedia because the e-mail password feature requires the sysop to
enter a password for the new user. Given the extensions and changes present on
Wikipedia, I'm not sure if a vanilla svn release would be affected or not.

Version: 1.8.x
Severity: critical
Platform: PC



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:35 PM
bzimport set Reference to bz8219.
bzimport added a subscriber: Unknown Object (MLST).

That's because you specified the initial password as blank (and the
form is really crappy and makes you put in an initial password
for this).

  • This bug has been marked as a duplicate of 6394 ***