Last modified: 2005-10-08 22:39:47 UTC
Hallo! It should not be possible to create IP type accounts because MediaWiki makes a kind of validation and displays [[en:MediaWiki:Noname]]. However surfing today I have seen edits of an / some anon users at [[en:Special:Contributions/200.191.188.xxx]]. I was able to *hijack* this account - see [[en:User:200.191.188.xxx]] . Before doing this I also created the account [[fy:User:200.191.188.xxx]]. Please close this security gap. You may cancel both accounts from the database. Best regards Reinhardt [[user:gangleri]]
Please watch [[Special:Log/newusers]] for abuse as long as this security gap is not closed.
What security gap? These are not IP addresses, though they may somewhat resemble them in a vague way.
The security gap consists in hijacking others contributions. [[en:User:200.191.188.xxx]] was created yesterday. But others people contributions are now contributions of this account. Probably this conflicts with wiki policy. see [[en:Special:Contributions/200.191.188.xxx]] Best regards Reinhardt [[user:gangleri]]
addendum a) There might be other cases in [[en:]] its sisterprojects or projects in other languages. b) Some have more contributions then required ford board votes (in the past). c) I have no clue what would happen if an anon user from IP range 200.191.188.xxx would tray to make some edits. Maybe xxx in 200.191.188.xxx is a historical issue. If it is not then 200.191.188.xxx is ambiguous now: it could be an anon user or it could be a logged in user with this user name. Such ambiguosities would not make life easier. Best regards Reinhardt [[user:gangleri]]
* IP addresses has the form /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/ * A logged in user does not match an IP address Where is the ambiguity?
Looks like it matches old recorded anon bits from 2001 (UseMod obscured the final octet of the ip for anons, at least sometimes). Note that the same applies to any unclaimed UseMod-era account name.
(In reply to comment #5) > * IP addresses has the form /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/ > * A logged in user does not match an IP address > > Where is the ambiguity? http://en.wikipedia.org/w/index.php?title=Wikipedia&action=history&limit=50&offset=20020821080640 shows three such "contributors". You may find these contributions also at [[en:Special:Contributions/130.94.122.xxx]] [[en:Special:Contributions/172.135.153.xxx]] [[en:Special:Contributions/216.126.89.xxx]] As I told item c) might be a historical issue and not an ambuguity any more.
Okey so some usemod usernames use account names that kind of look like IP addresses but should not be detected as such anywhere in the software, where's the critical security issue here?
(In reply to comment #8) > where's the critical security issue here? It is not trivial to log in as [[User:Ævar Arnfjörð Bjarmason]]. But it is easy to log in as usemod usernames: http://en.wikipedia.org/w/index.php?title=User:216.126.89.xxx&action=history All [[Special:Contributions/216.126.89.xxx]] belong now to this "user".
FIXED the issue in HEAD (not in any other branches since other websites probably don't have stale usemod usernames running around), temp sysopped myself on enwiki and permbanned the users that used this bug.
Thank you Ævar! Regards Reinhardt
