Last modified: 2011-12-01 14:56:00 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T11727, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 9727 - Login without password possible under certain circumstances
Login without password possible under certain circumstances
Status: RESOLVED DUPLICATE of bug 6394
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
PC Windows XP
: Highest critical with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
http://microbewiki.kenyon.edu
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-27 20:51 UTC by Daniel Barich
Modified: 2011-12-01 14:56 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description Daniel Barich 2007-04-27 20:51:34 UTC
If a user doesn't change their password from what they originally got by email,
then at least on my installtion of MediaWiki, it is possible to log in to that
account while leaving the password box blank.  This is a serious security
problem, and I have not been able to reproduce it on wikipedia, but upgrading
our wiki to the latest version did not fix the problem.  Also, on our wiki one
can create accounts with blank passwords, which is not possible on wikipedia either.
Comment 1 Titoxd 2007-04-27 20:53:48 UTC
Which version is this? The copy on SVN, or a stable release?
Comment 2 Platonides 2007-04-27 21:10:01 UTC
Special:Version says MediaWiki: 1.7.1 (not the last version!)

Account creation is disabled, but i could login with blank password in an
existant account.
Comment 3 Daniel Barich 2007-04-27 21:16:31 UTC
Thanks for telling me about Special:Version.  We tried upgrading to MediaWiki
1.9.3 with a test clone called BioWiki, but the problem was still there.  It's
been reverted to the older version, but I'll let you know when the BioWiki site
is upgraded again to the latest version so you can try it out.
Comment 4 anaconda 2007-04-27 21:26:11 UTC
This doesn't seem a bug.

From DefaultSettings.php (added in r7317:
/**
 * Specifies the minimal length of a user password. If set to
 * 0, empty passwords are allowed.
 */
$wgMinimalPasswordLength = 0;

You probably haven't changed that setting in LocalSettings.php.
Comment 5 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-04-27 21:56:18 UTC
I believe Brion fixed this in 1.10.
Comment 6 Brion Vibber 2007-04-30 18:48:53 UTC

*** This bug has been marked as a duplicate of 6394 ***

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links