made an administrator who hasn't yet established an account

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

made an administrator who hasn't yet established an account

jidanni
Say, I noticed on Wikia one can make a user an administrator, even if he
has never logged in yet.

This exposes a security risk. A bureaucrat pre-makes some accounts for
future administrators, but before they establish accounts, somebody else
establishes an account with that name, and becomes an instant
administrator.

I'm wondering if the is a MediaWiki-wide bug, or just Wikia's.

_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
OQ
Reply | Threaded
Open this post in threaded view
|

Re: made an administrator who hasn't yet established an account

OQ
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 8/2/2010 7:18 PM, [hidden email] wrote:
> Say, I noticed on Wikia one can make a user an administrator, even if he
> has never logged in yet.
>
> This exposes a security risk. A bureaucrat pre-makes some accounts for
> future administrators, but before they establish accounts, somebody else
> establishes an account with that name, and becomes an instant
> administrator.
>
> I'm wondering if the is a MediaWiki-wide bug, or just Wikia's.

Wikia bug if they're doing something stupid like populating the user
groups table without a corresponding user.  MediaWiki wont let you
assign groups to users that don't exist.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJMV2E2AAoJEL+AqFCTAyc2c6oIAJkC9sDm+w6IVCYdQ8/iYdbd
Zd2z2tz+AJCE+ZNa6BFb3dCEl1yUcpp0D4b0iRA2Cn0AgjTXQuz0wSsVT6MTiSI1
1OM2D9Tlv/xoY0PotVevIFuCaO4XKIzkAUpWR8Htc0rhh8f1+Lo7k668iG4yWIFS
iSBlHdsG5G+Ugqk9IbCRm9jErL8WkGUz/D5b9KD7Azu8CtCOSCowOz3qvuJNT7z+
KgDQCp4aavl7FZEDYhqxjYQPWIDsHI7d3nBoD713vpjfSCroYkrDa9v0ZqlMRTFw
agL1XBG+7fanaz0iIqDcOxrgIUL1AqEXNtEt32frKrE546euRhb+sFyIVFhJxBI=
=5hTF
-----END PGP SIGNATURE-----

_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: made an administrator who hasn't yet established an account

Lewis Cawte
In reply to this post by jidanni
On 03/08/10 01:18, [hidden email] wrote:

> Say, I noticed on Wikia one can make a user an administrator, even if he
> has never logged in yet.
>
> This exposes a security risk. A bureaucrat pre-makes some accounts for
> future administrators, but before they establish accounts, somebody else
> establishes an account with that name, and becomes an instant
> administrator.
>
> I'm wondering if the is a MediaWiki-wide bug, or just Wikia's.
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>    
Yes this is MediaWiki wide, but in no way is it a bug. The feature is
there for various reasons, one I can think of off the top of my head is
bots, sysop bots. If a user is running a smaller wiki deployment, and
they need a sysop bot quickly, they do not want to have to wait around
for a while or put in a lot of work just to be able to give it that
needed bot flag..

Other examples are welcome :)

_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: made an administrator who hasn't yet established an account

Lewis Cawte
In reply to this post by OQ
I think they mean where an account has been made and given rights before
the user account is logged into, thus making it not a bug.
On 03/08/10 01:22, Q wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 8/2/2010 7:18 PM, [hidden email] wrote:
>    
>> Say, I noticed on Wikia one can make a user an administrator, even if he
>> has never logged in yet.
>>
>> This exposes a security risk. A bureaucrat pre-makes some accounts for
>> future administrators, but before they establish accounts, somebody else
>> establishes an account with that name, and becomes an instant
>> administrator.
>>
>> I'm wondering if the is a MediaWiki-wide bug, or just Wikia's.
>>      
> Wikia bug if they're doing something stupid like populating the user
> groups table without a corresponding user.  MediaWiki wont let you
> assign groups to users that don't exist.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBCAAGBQJMV2E2AAoJEL+AqFCTAyc2c6oIAJkC9sDm+w6IVCYdQ8/iYdbd
> Zd2z2tz+AJCE+ZNa6BFb3dCEl1yUcpp0D4b0iRA2Cn0AgjTXQuz0wSsVT6MTiSI1
> 1OM2D9Tlv/xoY0PotVevIFuCaO4XKIzkAUpWR8Htc0rhh8f1+Lo7k668iG4yWIFS
> iSBlHdsG5G+Ugqk9IbCRm9jErL8WkGUz/D5b9KD7Azu8CtCOSCowOz3qvuJNT7z+
> KgDQCp4aavl7FZEDYhqxjYQPWIDsHI7d3nBoD713vpjfSCroYkrDa9v0ZqlMRTFw
> agL1XBG+7fanaz0iIqDcOxrgIUL1AqEXNtEt32frKrE546euRhb+sFyIVFhJxBI=
> =5hTF
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> MediaWiki-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>    


_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Reply | Threaded
Open this post in threaded view
|

Re: made an administrator who hasn't yet established an account

Angela-5
In reply to this post by jidanni
On Tue, Aug 3, 2010 at 10:18 AM,  <[hidden email]> wrote:
> Say, I noticed on Wikia one can make a user an administrator, even if he
> has never logged in yet.

There isn't a bug. You can't make someone an admin before they have
made an account.
If you try, you will be told:
  There is no user by the name "Fdskjfhjsakdfkfhjksjkdfh".

Angela

_______________________________________________
MediaWiki-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l