Page MenuHomePhabricator
Create Task
Maniphest T18344

Major security flaw in protecting pages
Closed, DeclinedPublic
Actions

Description

When you add a right in Mediawiki to be used for page protecting, lets say founder, I've went to protect a page, and I've set editing to sysops only and move permissions to founders only. I've then created a account and only gave it sysop rights only, I was able to edit the move rights to a lower level. If a test account with admin rights can do it, so then any other administrator can.

Version: 1.14.x
Severity: major

Details

Reference
bz16344

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 10:28 PM
bzimport added a project: MediaWiki-Page-protection.
bzimport set Reference to bz16344.
bzimport added a subscriber: Unknown Object (MLST).
Techman224 created this task.Nov 15 2008, 3:47 AM
bzimport added a comment.Nov 15 2008, 3:49 AM

charlie wrote:

This is a problem with his wiki host, YourWiki. I've instructed him to move his request to our Support Desk there. Changing to closed.

bzimport added a comment.Nov 15 2008, 3:52 AM

bretthillebrand wrote:

If you also add protect as a protection type that will stop this happening.

bzimport added a comment.Nov 15 2008, 3:55 AM

charlie wrote:

Do you mean a "restriction level"? Or something different?

bzimport added a comment.Nov 15 2008, 3:57 AM

bretthillebrand wrote:

Yes , Example Given

$wgRestrictionLevels = array ( '', 'autoconfirmed', 'sysop', 'Staff' );
$wgRestrictionTypes = array( 'edit', 'move', 'delete', 'protect' );

Note how protection itself is a protection type.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL