Last modified: 2006-08-29 18:29:16 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T9150, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 7150 - Non-administrator edited interface page
Non-administrator edited interface page
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
Page editing (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
http://fy.wikipedia.org/w/index.php?t...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-28 17:11 UTC by aliter
Modified: 2006-08-29 18:29 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description aliter 2006-08-28 17:11:12 UTC
The user w:fy:Meidogger:YurikBot has just changed
w:fy:MediaWiki:Disambiguationspage, a protected page. YurikBot does not have
administrator status on fy:, so he/it should not be able to change a protected
page. Apparently, the user, or its controller if it really is a bot, has found a
security hole.
Comment 1 Ral315 2006-08-28 17:29:17 UTC
Quote in IRC:

<rotemliss> Ral315: I think it's an automated script run from the server, but
I'm not sure; yurikbot and TimStarling may know more about that.

YurikBot also made a similar edit to the English Wikipedia's same page.  I'm
inclined to think it is automatic; otherwise, yes, this is a severe breach.
Comment 2 Tim Starling 2006-08-28 17:31:09 UTC
Yuri Astrakhan is our buddy. He's done some great work developing for MediaWiki, so now 
he gets some special privileges. He changed the behaviour of 
MediaWiki:Disambiguationspage in the software, and wanted to follow that up with some 
edits to Wikipedia, so of course we were happy to let him. We might give him full shell 
access at some time in the future.
Comment 3 aliter 2006-08-29 18:15:16 UTC
Yuri Astrakhan is definitely not my buddy. On the wikis he comes accross as
arrogant, and he is one of the people who feel that adding words in capitals to
the summary is enough explanation, never mind discussion.

Me, I would not at all be happy if he got the rights to vandalise the small
wikis further. But apart from that: We have different levels of user rights; why
bother with those if they're going to be ignored?

Even if you explain this as human error, it's still a security breach. And if it
really is a bot, this has quite the potential for disaster.
Comment 4 Aryeh Gregor (not reading bugmail, please e-mail directly) 2006-08-29 18:18:01 UTC
The edit was manually imported.  It's not a security breach to allow people with
shell access (or whatever he used) to import pseudo-edits.  To the contrary,
it's much more efficient than using an actual bot.

Normally such edits are made from special accounts named something like "Wiki
update script", so it's clear what's going on.  I suggest this convention be
followed in the future.
Comment 5 Rob Church 2006-08-29 18:28:15 UTC
All server-side or automated edits need to be marked as such. This needs to be
clear in the edit summary. It's not a question of who likes who, or whose ass
was kissed, it's a simple question of being able to say, "ok, that edit was done
server-side, and it wasn't a security error".
Comment 6 Rotem Liss 2006-08-29 18:29:16 UTC
(In reply to comment #3)
> Yuri Astrakhan is definitely not my buddy. On the wikis he comes accross as
> arrogant, and he is one of the people who feel that adding words in capitals to
> the summary is enough explanation, never mind discussion.
> 
> Me, I would not at all be happy if he got the rights to vandalise the small
> wikis further. But apart from that: We have different levels of user rights; why
> bother with those if they're going to be ignored?
> 
> Even if you explain this as human error, it's still a security breach. And if it
> really is a bot, this has quite the potential for disaster.

He just operates bots, e.g. Interwiki bots which fix the interwiki, and redirect
bots which fix double redirects. This is far from vandalism, and this is a fix
for maintenance. It is not a human error, and it is not a vandalism: it is a
script which was operated from the server itself by the maintainers. In the same
way, MediaWiki default - see [[fy:Special:Contributions/MediaWiki_default]] –
changes system messages to the default. It has nothing to do with security.

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links