Creating a user account via e-mail allows logging in with blank password
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	• bzimport
	Dec 11 2006, 4:09 PM

Description

Author: ral315

Description:
When logged in as a sysop, one can create a user account for other users,
sending a password to the user via e-mail. In 1.8.2 and before, this password
was randomly generated; however, simply logging in with nothing in the password
field is successful.

Even after logging in, both the password and a blank entry work interchangeably,
until the user changes it via Special:Preferences (in which case, only the new
password works). Even if the user logs in with the password they received via
e-mail, another user could log in later with a blank password field.

This bug has been confirmed by me in 1.8.2 and 1.7.1; a user on IRC confirms
this on 1.6.8 (the current release for PHP4 users). This doesn't work on the
English Wikipedia because the e-mail password feature requires the sysop to
enter a password for the new user. Given the extensions and changes present on
Wikipedia, I'm not sure if a vanilla svn release would be affected or not.

Version: 1.8.x
Severity: critical
Platform: PC

Details

Reference: bz8219

Event Timeline

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:35 PM

• bzimport added a project: MediaWiki-User-login-and-signup.

• bzimport set Reference to bz8219.

• bzimport added a subscriber: Unknown Object (MLST).

• bzimport created this task.Dec 11 2006, 4:09 PM

That's because you specified the initial password as blank (and the
form is really crappy and makes you put in an initial password
for this).

This bug has been marked as a duplicate of 6394 ***

Creating a user account via e-mail allows logging in with blank passwordClosed, ResolvedPublicActions

Description

Details

Event Timeline

Creating a user account via e-mail allows logging in with blank password
Closed, ResolvedPublic
Actions