AntiSpoof should check against CentralAuth database
Closed, ResolvedPublic


Currently, there is a MAJOR leak in the anti spoof system. In order to create an account name similar to that of an existing user (even if the user already has an SUL, which they probably mostly do), all you need to do is find a Wiki project where the user doesn't have an account yet (probably easy to guess, or else it can be checked), create a similar account name (this is an SUL), and then log in where the active user is active - and you have spoofed him successfully.

Version: unspecified
Severity: enhancement

bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz15545.
OdMishehu created this task.Via LegacySep 10 2008, 5:26 AM
bzimport added a comment.Via ConduitSep 13 2008, 5:44 AM

soxred93 wrote:

Changing to MediaWiki extensions, as AntiSpoof is an extension

bzimport added a comment.Via ConduitOct 19 2008, 6:47 PM

soxred93 wrote:

*** Bug 15841 has been marked as a duplicate of this bug. ***

bzimport added a comment.Via ConduitJun 18 2009, 2:51 AM

mike.lifeguard+bugs wrote:

Updated summary.

demon added a comment.Via ConduitJul 22 2009, 10:39 PM
  • Bug 19869 has been marked as a duplicate of this bug. ***
Reedy added a comment.Via ConduitDec 24 2011, 10:48 PM

Duping against bug 28747 as that's where the work has been done

  • This bug has been marked as a duplicate of bug 28747 ***

Add Comment