Author: aliter
Description:
The user w:fy:Meidogger:YurikBot has just changed
w:fy:MediaWiki:Disambiguationspage, a protected page. YurikBot does not have
administrator status on fy:, so he/it should not be able to change a protected
page. Apparently, the user, or its controller if it really is a bot, has found a
security hole.
Version: unspecified
Severity: normal
URL: http://fy.wikipedia.org/w/index.php?title=MediaWiki:Disambiguationspage&curid=1333&diff=49826&oldid=38897
ral315 wrote:
Quote in IRC:
<rotemliss> Ral315: I think it's an automated script run from the server, but
I'm not sure; yurikbot and TimStarling may know more about that.
YurikBot also made a similar edit to the English Wikipedia's same page. I'm
inclined to think it is automatic; otherwise, yes, this is a severe breach.
Yuri Astrakhan is our buddy. He's done some great work developing for MediaWiki, so now
he gets some special privileges. He changed the behaviour of
MediaWiki:Disambiguationspage in the software, and wanted to follow that up with some
edits to Wikipedia, so of course we were happy to let him. We might give him full shell
access at some time in the future.
aliter wrote:
Yuri Astrakhan is definitely not my buddy. On the wikis he comes accross as
arrogant, and he is one of the people who feel that adding words in capitals to
the summary is enough explanation, never mind discussion.
Me, I would not at all be happy if he got the rights to vandalise the small
wikis further. But apart from that: We have different levels of user rights; why
bother with those if they're going to be ignored?
Even if you explain this as human error, it's still a security breach. And if it
really is a bot, this has quite the potential for disaster.
ayg wrote:
The edit was manually imported. It's not a security breach to allow people with
shell access (or whatever he used) to import pseudo-edits. To the contrary,
it's much more efficient than using an actual bot.
Normally such edits are made from special accounts named something like "Wiki
update script", so it's clear what's going on. I suggest this convention be
followed in the future.
robchur wrote:
All server-side or automated edits need to be marked as such. This needs to be
clear in the edit summary. It's not a question of who likes who, or whose ass
was kissed, it's a simple question of being able to say, "ok, that edit was done
server-side, and it wasn't a security error".
rotemliss wrote:
(In reply to comment #3)
Yuri Astrakhan is definitely not my buddy. On the wikis he comes accross as
arrogant, and he is one of the people who feel that adding words in capitals to
the summary is enough explanation, never mind discussion.Me, I would not at all be happy if he got the rights to vandalise the small
wikis further. But apart from that: We have different levels of user rights; why
bother with those if they're going to be ignored?Even if you explain this as human error, it's still a security breach. And if it
really is a bot, this has quite the potential for disaster.
He just operates bots, e.g. Interwiki bots which fix the interwiki, and redirect
bots which fix double redirects. This is far from vandalism, and this is a fix
for maintenance. It is not a human error, and it is not a vandalism: it is a
script which was operated from the server itself by the maintainers. In the same
way, MediaWiki default - see [[fy:Special:Contributions/MediaWiki_default]] –
changes system messages to the default. It has nothing to do with security.