Last modified: 2012-08-14 12:08:31 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 28357 - Users can edit any page
Users can edit any page
Product: MediaWiki
Classification: Unclassified
Page editing (Other open bugs)
All other
: Highest critical (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2011-04-01 03:54 UTC by Chad H.
Modified: 2012-08-14 12:08 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Commit this ASAP (720 bytes, patch)
2011-04-01 11:40 UTC, Max Semenik
Updated patch (385 bytes, patch)
2011-04-01 17:06 UTC, Chad H.

Description Chad H. 2011-04-01 03:54:18 UTC
I installed MediaWiki today and was astonished to realize that anyone can edit pages. This obviously must be an oversight, as allowing anonymous contributions could not possibly be a design goal.

Suggest removal of anonymous page editing forthwith and closing this major security breach.
Comment 1 p858snake 2011-04-01 04:15:26 UTC
I'm pretty sure this is a dup but can't seem to find it.... =(
Comment 2 Sam Reed (reedy) 2011-04-01 11:34:07 UTC
Bumping priority.
Comment 3 Happy-melon 2011-04-01 11:36:53 UTC
1.3 is no longer supported.  Can you confirm that the problem still exists on trunk?

Comment 4 Max Semenik 2011-04-01 11:40:59 UTC
Created attachment 8357 [details]
Commit this ASAP

I'm not really familiar with Brainfuck, but this patch appears to fix the bug.
Comment 5 Chad H. 2011-04-01 11:45:43 UTC
Not a blocker to 1.17 release, cannot confirm this problem in trunk or REL1_17.

(In reply to comment #3)
> 1.3 is no longer supported.  Can you confirm that the problem still exists on
> trunk?

Why isn't 1.3 supported? Windows 95 supports it.
Comment 6 Brandon Harris 2011-04-01 17:01:46 UTC
I'm actually seeing this behavior on my 1.15 install.  My boss is kind of anxious about it; when can we see a tarball?
Comment 7 Chad H. 2011-04-01 17:06:58 UTC
Created attachment 8358 [details]
Updated patch

(In reply to comment #6)
> I'm actually seeing this behavior on my 1.15 install.  

I see it now, seems to affect all versions of MediaWiki. 

Proposed patch is a little less draconian than comment 4 (also it's in Ruby, not Brainfuck it would seem) prohibits anonymous actions.

> My boss is kind of
> anxious about it; when can we see a tarball?

Hmm, to release a patch for all affected versions? Gonna need at least a week or two to sort ouf the backports and run unit tests for regressions.
Comment 8 Church of emacs 2011-04-02 00:30:58 UTC
Not only can users edit pages, it seems that their private information gets leaked, too.
Steps to reproduce:
1. Reproduce this bug (i.e. "hack mediawiki")
2. Click on "history"
3. Note the IP address of the hacker, time and date

This seems to be a huge privacy vulnerability.
Comment 9 Chad H. 2011-04-03 22:35:17 UTC
Actually, on further inspection, this seems like it would create an AWESOME backdoor to hacking people's wikis. Let's keep it in ;-)


Note You need to log in before you can comment on or make changes to this bug.