Last modified: 2011-12-01 14:56:00 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 9727 - Login without password possible under certain circumstances
Login without password possible under certain circumstances
Status: RESOLVED DUPLICATE of bug 6394
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
PC Windows XP
: Highest critical with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2007-04-27 20:51 UTC by Daniel Barich
Modified: 2011-12-01 14:56 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Daniel Barich 2007-04-27 20:51:34 UTC
If a user doesn't change their password from what they originally got by email,
then at least on my installtion of MediaWiki, it is possible to log in to that
account while leaving the password box blank.  This is a serious security
problem, and I have not been able to reproduce it on wikipedia, but upgrading
our wiki to the latest version did not fix the problem.  Also, on our wiki one
can create accounts with blank passwords, which is not possible on wikipedia either.
Comment 1 Titoxd 2007-04-27 20:53:48 UTC
Which version is this? The copy on SVN, or a stable release?
Comment 2 Platonides 2007-04-27 21:10:01 UTC
Special:Version says MediaWiki: 1.7.1 (not the last version!)

Account creation is disabled, but i could login with blank password in an
existant account.
Comment 3 Daniel Barich 2007-04-27 21:16:31 UTC
Thanks for telling me about Special:Version.  We tried upgrading to MediaWiki
1.9.3 with a test clone called BioWiki, but the problem was still there.  It's
been reverted to the older version, but I'll let you know when the BioWiki site
is upgraded again to the latest version so you can try it out.
Comment 4 anaconda 2007-04-27 21:26:11 UTC
This doesn't seem a bug.

From DefaultSettings.php (added in r7317:
 * Specifies the minimal length of a user password. If set to
 * 0, empty passwords are allowed.
$wgMinimalPasswordLength = 0;

You probably haven't changed that setting in LocalSettings.php.
Comment 5 Aryeh Gregor (not reading bugmail, please e-mail directly) 2007-04-27 21:56:18 UTC
I believe Brion fixed this in 1.10.
Comment 6 Brion Vibber 2007-04-30 18:48:53 UTC

*** This bug has been marked as a duplicate of 6394 ***

Note You need to log in before you can comment on or make changes to this bug.