Last modified: 2010-05-15 15:38:52 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T6227, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 4227 - Add a throttle to new password requests - 3rd party mail bombing
Add a throttle to new password requests - 3rd party mail bombing
Status: RESOLVED DUPLICATE of bug 5370
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
1.5.x
All All
: Normal normal with 2 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-09 02:44 UTC by Jason
Modified: 2010-05-15 15:38 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jason 2005-12-09 02:44:43 UTC 
If you enter any users name @ Special:Userlogin and endlessly click on the "Mail
me a new password" button you can generate a large amount of traffic to anyones
email. Automated versions creating DOS attacks against email services effectivly
using a wikisite as a 3rd party service.
Comment 1 Rob Church 2005-12-09 07:47:27 UTC 
Is this still an issue in a release version of MediaWiki? What of CVS HEAD?
Comment 2 Jason 2005-12-10 23:59:16 UTC 
Also saw this in version 1.5.3
Comment 3 Antoine "hashar" Musso (WMF) 2005-12-11 20:32:27 UTC 
Old subject:
'Add a throttle to the "mail new password" feature to counter mass-email spam'
Comment 4 Rob Church 2005-12-11 21:11:35 UTC 
Er, the old summary actually listed what the request was. This is a more
unhelpful summary.
Comment 5 Jason 2005-12-17 03:55:01 UTC 
Noticed this was moved to Severity enhancement? fixing using a mediawiki server
as a mail bomb platform is an enhancemet?
Comment 6 Zigger 2005-12-17 13:20:38 UTC 
(In reply to comment #5)
Is unthrottled sending regarded as a bug in SMTP servers and other mail services?
Also debatable is whether this counts as a DOS lever/accelerator when it would
cost more bytes than it generates.

But the request still gets my vote as it would remove another potential source
of nuisance and bad PR.
Comment 7 Rob Church 2006-05-16 03:04:58 UTC 

*** This bug has been marked as a duplicate of 5370 ***
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links