Last modified: 2005-10-08 22:39:47 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 3631 - security gap: IP style user names - IP range style user names - hijacking these accounts
security gap: IP style user names - IP range style user names - hijacking the...
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.6.x
All All
: High critical with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
http://fy.wikipedia.org/wiki/User:200...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-06 17:38 UTC by lɛʁi לערי ריינהארט
Modified: 2005-10-08 22:39 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description lɛʁi לערי ריינהארט 2005-10-06 17:38:27 UTC
Hallo!

It should not be possible to create IP type accounts because MediaWiki makes a
kind of validation and displays [[en:MediaWiki:Noname]].

However surfing today I have seen edits of an / some anon users at
[[en:Special:Contributions/200.191.188.xxx]].

I was able to *hijack* this account - see [[en:User:200.191.188.xxx]] . Before
doing this I also created the account [[fy:User:200.191.188.xxx]].

Please close this security gap. You may cancel both accounts from the database.

Best regards Reinhardt [[user:gangleri]]
Comment 1 lɛʁi לערי ריינהארט 2005-10-06 17:52:56 UTC
Please watch [[Special:Log/newusers]] for abuse as long as this security gap is
not closed.
Comment 2 Brion Vibber 2005-10-06 23:39:37 UTC
What security gap? These are not IP addresses, though they may somewhat resemble 
them in a vague way.
Comment 3 lɛʁi לערי ריינהארט 2005-10-07 08:31:20 UTC
The security gap consists in hijacking others contributions.

[[en:User:200.191.188.xxx]] was created yesterday. But others people
contributions are now contributions of this account. Probably this conflicts
with wiki policy.

see [[en:Special:Contributions/200.191.188.xxx]]

Best regards Reinhardt [[user:gangleri]]
Comment 4 lɛʁi לערי ריינהארט 2005-10-07 09:29:02 UTC
addendum

a) There might be other cases in [[en:]] its sisterprojects or projects in other
languages.
b) Some have more contributions then required ford board votes (in the past).
c) I have no clue what would happen if an anon user from IP range
200.191.188.xxx would tray to make some edits. Maybe xxx in 200.191.188.xxx is a
historical issue. If it is not then 200.191.188.xxx is ambiguous now: it could
be an anon user or it could be a logged in user with this user name. Such
ambiguosities would not make life easier.

Best regards Reinhardt [[user:gangleri]]
Comment 5 Ævar Arnfjörð Bjarmason 2005-10-07 19:48:37 UTC
* IP addresses has the form /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/
* A logged in user does not match an IP address

Where is the ambiguity?
Comment 6 Brion Vibber 2005-10-07 21:01:42 UTC
Looks like it matches old recorded anon bits from 2001 (UseMod obscured the final octet 
of the ip for anons, at least sometimes). Note that the same applies to any unclaimed 
UseMod-era account name.

Comment 7 lɛʁi לערי ריינהארט 2005-10-07 21:54:42 UTC
(In reply to comment #5)
> * IP addresses has the form /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/
> * A logged in user does not match an IP address
> 
> Where is the ambiguity?

http://en.wikipedia.org/w/index.php?title=Wikipedia&action=history&limit=50&offset=20020821080640
shows three such "contributors". You may find these contributions also at
[[en:Special:Contributions/130.94.122.xxx]]
[[en:Special:Contributions/172.135.153.xxx]]
[[en:Special:Contributions/216.126.89.xxx]]
As I told item c) might be a historical issue and not an ambuguity any more.
Comment 8 Ævar Arnfjörð Bjarmason 2005-10-08 18:57:15 UTC
Okey so some usemod usernames use account names that kind of look like IP
addresses but should not be detected as such anywhere in the software, where's
the critical security issue here?
Comment 9 lɛʁi לערי ריינהארט 2005-10-08 19:59:11 UTC
(In reply to comment #8)
> where's the critical security issue here?

It is not trivial to log in as [[User:Ævar Arnfjörð Bjarmason]]. But it is easy
to log in as usemod usernames:
http://en.wikipedia.org/w/index.php?title=User:216.126.89.xxx&action=history

All [[Special:Contributions/216.126.89.xxx]] belong now to this "user".

Comment 10 Ævar Arnfjörð Bjarmason 2005-10-08 20:43:59 UTC
FIXED the issue in HEAD (not in any other branches since other websites probably
don't have stale usemod usernames running around), temp sysopped myself on
enwiki and permbanned the users that used this bug.
Comment 11 lɛʁi לערי ריינהארט 2005-10-08 22:39:47 UTC
Thank you Ævar! Regards Reinhardt

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links