Last modified: 2009-05-31 11:35:02 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T21010, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 19010 - It is possible to make brute force login attack to not global account
It is possible to make brute force login attack to not global account
Status: RESOLVED INVALID
Product: MediaWiki extensions
Classification: Unclassified
CentralAuth (Other open bugs)
unspecified
All All
: Normal major (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-30 11:48 UTC by sp5uhe (Paweł Zienowicz)
Modified: 2009-05-31 11:35 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description sp5uhe (Paweł Zienowicz) 2009-05-30 11:48:18 UTC 
This is a security risk for old (not used for now) administrator accounts!

An attack schema on an not global account called "nnn" on the wiki "iii":
1) I create an account called "nnn" at several wikis
2) I convert an account "nnn" to global account
3) I tries to join the "nnn" in the wiki "iii" to my global account - no restrictions on the number of unsuccessful attempts, no captcha
Comment 1 Happy-melon 2009-05-31 11:34:50 UTC 
I'm sure this is a dupe. Regardless, it's not a significant attack vector against admin accounts, because the home wiki, which has control of the global account, is decided mainly dependent on local userrights. So the admin account on iiwiki will ensure that iiwiki is the home-wiki for User:nnn's global account.  So it will not be possible to unify the account on another project except by gaining *higher* permissions on that project.  At which point, we have a malicious admin account on xxwiki *anyway*, making the issue rather moot.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links