Page MenuHomePhabricator
Create Task
Maniphest T11727

Login without password possible under certain circumstances
Closed, ResolvedPublic
Actions

Description

Author: barichd

Description:
If a user doesn't change their password from what they originally got by email,
then at least on my installtion of MediaWiki, it is possible to log in to that
account while leaving the password box blank. This is a serious security
problem, and I have not been able to reproduce it on wikipedia, but upgrading
our wiki to the latest version did not fix the problem. Also, on our wiki one
can create accounts with blank passwords, which is not possible on wikipedia either.

Version: unspecified
Severity: critical
OS: Windows XP
Platform: PC
URL: http://microbewiki.kenyon.edu

Details

Reference
bz9727

Event Timeline

bzimport raised the priority of this task from to Unbreak Now!.Nov 21 2014, 9:41 PM
bzimport added a project: MediaWiki-User-login-and-signup.
bzimport set Reference to bz9727.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Apr 27 2007, 8:51 PM
bzimport added a comment.Apr 27 2007, 8:53 PM

titoxd.wikimedia wrote:

Which version is this? The copy on SVN, or a stable release?

Platonides added a comment.Apr 27 2007, 9:10 PM

Special:Version says MediaWiki: 1.7.1 (not the last version!)

Account creation is disabled, but i could login with blank password in an
existant account.

bzimport added a comment.Apr 27 2007, 9:16 PM

barichd wrote:

Thanks for telling me about Special:Version. We tried upgrading to MediaWiki
1.9.3 with a test clone called BioWiki, but the problem was still there. It's
been reverted to the older version, but I'll let you know when the BioWiki site
is upgraded again to the latest version so you can try it out.

bzimport added a comment.Apr 27 2007, 9:26 PM

anaconda wrote:

This doesn't seem a bug.

From DefaultSettings.php (added in r7317:
/**

  • Specifies the minimal length of a user password. If set to
  • 0, empty passwords are allowed. */

$wgMinimalPasswordLength = 0;

You probably haven't changed that setting in LocalSettings.php.

bzimport added a comment.Apr 27 2007, 9:56 PM

ayg wrote:

I believe Brion fixed this in 1.10.

brion added a comment.Apr 30 2007, 6:48 PM
  • This bug has been marked as a duplicate of 6394 ***
bzimport added a comment.Dec 1 2011, 2:56 PM

aaron.schulz wrote:

content hidden as private in Bugzilla

Luke081515 removed a subscriber: wikibugs-l-list.Jan 28 2016, 6:04 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL