[Mediawiki-l] made an administrator who hasn't yet established an account
Q
overlordq at gmail.com
Tue Aug 3 00:22:14 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 8/2/2010 7:18 PM, jidanni at jidanni.org wrote:
> Say, I noticed on Wikia one can make a user an administrator, even if he
> has never logged in yet.
>
> This exposes a security risk. A bureaucrat pre-makes some accounts for
> future administrators, but before they establish accounts, somebody else
> establishes an account with that name, and becomes an instant
> administrator.
>
> I'm wondering if the is a MediaWiki-wide bug, or just Wikia's.
Wikia bug if they're doing something stupid like populating the user
groups table without a corresponding user. MediaWiki wont let you
assign groups to users that don't exist.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBCAAGBQJMV2E2AAoJEL+AqFCTAyc2c6oIAJkC9sDm+w6IVCYdQ8/iYdbd
Zd2z2tz+AJCE+ZNa6BFb3dCEl1yUcpp0D4b0iRA2Cn0AgjTXQuz0wSsVT6MTiSI1
1OM2D9Tlv/xoY0PotVevIFuCaO4XKIzkAUpWR8Htc0rhh8f1+Lo7k668iG4yWIFS
iSBlHdsG5G+Ugqk9IbCRm9jErL8WkGUz/D5b9KD7Azu8CtCOSCowOz3qvuJNT7z+
KgDQCp4aavl7FZEDYhqxjYQPWIDsHI7d3nBoD713vpjfSCroYkrDa9v0ZqlMRTFw
agL1XBG+7fanaz0iIqDcOxrgIUL1AqEXNtEt32frKrE546euRhb+sFyIVFhJxBI=
=5hTF
-----END PGP SIGNATURE-----
More information about the MediaWiki-l
mailing list