Last modified: 2011-07-31 03:40:19 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T19606, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 17606 - Flying pig vulnerability
Flying pig vulnerability
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
1.15.x
All All
: Normal enhancement with 3 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks: 29079
  Show dependency treegraph
 
Reported: 2009-02-21 23:00 UTC by River Tarnell
Modified: 2011-07-31 03:40 UTC (History)
3 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description River Tarnell 2009-02-21 23:00:46 UTC 
Using the PasswordReset extension, it is possible for flying pigs to take over a user's account using advanced memory modification techniques.
Comment 1 Platonides 2009-02-21 23:05:20 UTC 
No exploits found in the wild.

Workaround: Only give bureaucrat access to users livind in the city (where there're much less pigs), preferably on the top floors of the skyscrapers, well above flying pigs maximum altitude.
Comment 2 Ryan Schmidt 2009-02-21 23:09:18 UTC 
Reopening as this is most certainly not invalid. It is the one major bug that MUST be fixed before the PasswordReset extension can be stable enough to be used. While every other potential abuse can be checked with logging, flying pigs can circumvent this check by simply possessing other users, which does not get logged.

Perhaps we need a way to intercept brain wave patters to determine if the user is acting of his/her own free will and block changes where he/she is not.
Comment 3 River Tarnell 2009-02-21 23:11:32 UTC 
Perhaps an easy fix would be to implement Special:Log/posession.  The only problem is that the flying pigs could make people forget to check the logs, rendering it ineffective.
Comment 4 Platonides 2009-02-21 23:56:24 UTC 
This tool seems to protect against them http://zapatopi.net/afdb/
Comment 5 Chad H. 2009-02-22 00:15:36 UTC 
(In reply to comment #0)
> Using the PasswordReset extension, it is possible for flying pigs to take over
> a user's account using advanced memory modification techniques.
> 

Flying pigs successfully kept out as of r47640
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links