Author: barichd
Description:
If a user doesn't change their password from what they originally got by email,
then at least on my installtion of MediaWiki, it is possible to log in to that
account while leaving the password box blank. This is a serious security
problem, and I have not been able to reproduce it on wikipedia, but upgrading
our wiki to the latest version did not fix the problem. Also, on our wiki one
can create accounts with blank passwords, which is not possible on wikipedia either.
Version: unspecified
Severity: critical
OS: Windows XP
Platform: PC
URL: http://microbewiki.kenyon.edu