Last modified: 2011-12-01 14:56:00 UTC
If a user doesn't change their password from what they originally got by email, then at least on my installtion of MediaWiki, it is possible to log in to that account while leaving the password box blank. This is a serious security problem, and I have not been able to reproduce it on wikipedia, but upgrading our wiki to the latest version did not fix the problem. Also, on our wiki one can create accounts with blank passwords, which is not possible on wikipedia either.
Which version is this? The copy on SVN, or a stable release?
Special:Version says MediaWiki: 1.7.1 (not the last version!) Account creation is disabled, but i could login with blank password in an existant account.
Thanks for telling me about Special:Version. We tried upgrading to MediaWiki 1.9.3 with a test clone called BioWiki, but the problem was still there. It's been reverted to the older version, but I'll let you know when the BioWiki site is upgraded again to the latest version so you can try it out.
This doesn't seem a bug. From DefaultSettings.php (added in r7317: /** * Specifies the minimal length of a user password. If set to * 0, empty passwords are allowed. */ $wgMinimalPasswordLength = 0; You probably haven't changed that setting in LocalSettings.php.
I believe Brion fixed this in 1.10.
*** This bug has been marked as a duplicate of 6394 ***