Last modified: 2012-08-14 12:08:31 UTC
I installed MediaWiki today and was astonished to realize that anyone can edit pages. This obviously must be an oversight, as allowing anonymous contributions could not possibly be a design goal.
Suggest removal of anonymous page editing forthwith and closing this major security breach.
I'm pretty sure this is a dup but can't seem to find it.... =(
1.3 is no longer supported. Can you confirm that the problem still exists on trunk?
Created attachment 8357 [details]
Commit this ASAP
I'm not really familiar with Brainfuck, but this patch appears to fix the bug.
Not a blocker to 1.17 release, cannot confirm this problem in trunk or REL1_17.
(In reply to comment #3)
> 1.3 is no longer supported. Can you confirm that the problem still exists on
Why isn't 1.3 supported? Windows 95 supports it.
I'm actually seeing this behavior on my 1.15 install. My boss is kind of anxious about it; when can we see a tarball?
Created attachment 8358 [details]
(In reply to comment #6)
> I'm actually seeing this behavior on my 1.15 install.
I see it now, seems to affect all versions of MediaWiki.
Proposed patch is a little less draconian than comment 4 (also it's in Ruby, not Brainfuck it would seem) prohibits anonymous actions.
> My boss is kind of
> anxious about it; when can we see a tarball?
Hmm, to release a patch for all affected versions? Gonna need at least a week or two to sort ouf the backports and run unit tests for regressions.
Not only can users edit pages, it seems that their private information gets leaked, too.
Steps to reproduce:
1. Reproduce this bug (i.e. "hack mediawiki")
2. Click on "history"
3. Note the IP address of the hacker, time and date
This seems to be a huge privacy vulnerability.
Actually, on further inspection, this seems like it would create an AWESOME backdoor to hacking people's wikis. Let's keep it in ;-)