Last modified: 2006-08-29 18:29:16 UTC
The user w:fy:Meidogger:YurikBot has just changed w:fy:MediaWiki:Disambiguationspage, a protected page. YurikBot does not have administrator status on fy:, so he/it should not be able to change a protected page. Apparently, the user, or its controller if it really is a bot, has found a security hole.
Quote in IRC: <rotemliss> Ral315: I think it's an automated script run from the server, but I'm not sure; yurikbot and TimStarling may know more about that. YurikBot also made a similar edit to the English Wikipedia's same page. I'm inclined to think it is automatic; otherwise, yes, this is a severe breach.
Yuri Astrakhan is our buddy. He's done some great work developing for MediaWiki, so now he gets some special privileges. He changed the behaviour of MediaWiki:Disambiguationspage in the software, and wanted to follow that up with some edits to Wikipedia, so of course we were happy to let him. We might give him full shell access at some time in the future.
Yuri Astrakhan is definitely not my buddy. On the wikis he comes accross as arrogant, and he is one of the people who feel that adding words in capitals to the summary is enough explanation, never mind discussion. Me, I would not at all be happy if he got the rights to vandalise the small wikis further. But apart from that: We have different levels of user rights; why bother with those if they're going to be ignored? Even if you explain this as human error, it's still a security breach. And if it really is a bot, this has quite the potential for disaster.
The edit was manually imported. It's not a security breach to allow people with shell access (or whatever he used) to import pseudo-edits. To the contrary, it's much more efficient than using an actual bot. Normally such edits are made from special accounts named something like "Wiki update script", so it's clear what's going on. I suggest this convention be followed in the future.
All server-side or automated edits need to be marked as such. This needs to be clear in the edit summary. It's not a question of who likes who, or whose ass was kissed, it's a simple question of being able to say, "ok, that edit was done server-side, and it wasn't a security error".
(In reply to comment #3) > Yuri Astrakhan is definitely not my buddy. On the wikis he comes accross as > arrogant, and he is one of the people who feel that adding words in capitals to > the summary is enough explanation, never mind discussion. > > Me, I would not at all be happy if he got the rights to vandalise the small > wikis further. But apart from that: We have different levels of user rights; why > bother with those if they're going to be ignored? > > Even if you explain this as human error, it's still a security breach. And if it > really is a bot, this has quite the potential for disaster. He just operates bots, e.g. Interwiki bots which fix the interwiki, and redirect bots which fix double redirects. This is far from vandalism, and this is a fix for maintenance. It is not a human error, and it is not a vandalism: it is a script which was operated from the server itself by the maintainers. In the same way, MediaWiki default - see [[fy:Special:Contributions/MediaWiki_default]] – changes system messages to the default. It has nothing to do with security.