I installed MediaWiki today and was astonished to realize that anyone can edit pages. This obviously must be an oversight, as allowing anonymous contributions could not possibly be a design goal.
Suggest removal of anonymous page editing forthwith and closing this major security breach.
Version: 1.3.x
Severity: critical
OS: other
happy.melon.wiki wrote:
1.3 is no longer supported. Can you confirm that the problem still exists on trunk?
:D
Created attachment 8357
Commit this ASAP
I'm not really familiar with Brainfuck, but this patch appears to fix the bug.
attachment userCant.patch ignored as obsolete
Not a blocker to 1.17 release, cannot confirm this problem in trunk or REL1_17.
(In reply to comment #3)
1.3 is no longer supported. Can you confirm that the problem still exists on
trunk?
Why isn't 1.3 supported? Windows 95 supports it.
I'm actually seeing this behavior on my 1.15 install. My boss is kind of anxious about it; when can we see a tarball?
Created attachment 8358
Updated patch
(In reply to comment #6)
I'm actually seeing this behavior on my 1.15 install.
I see it now, seems to affect all versions of MediaWiki.
Proposed patch is a little less draconian than comment 4 (also it's in Ruby, not Brainfuck it would seem) prohibits anonymous actions.
My boss is kind of
anxious about it; when can we see a tarball?
Hmm, to release a patch for all affected versions? Gonna need at least a week or two to sort ouf the backports and run unit tests for regressions.
Attached:
Not only can users edit pages, it seems that their private information gets leaked, too.
Steps to reproduce:
This seems to be a huge privacy vulnerability.
Actually, on further inspection, this seems like it would create an AWESOME backdoor to hacking people's wikis. Let's keep it in ;-)
WONTFIX!