RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://phabricator.wikimedia.org/T5631 below:

⚓ T5631 security gap: IP style user names - IP range style user names

Event Timeline • bzimport

added a subscriber:

Unknown Object (MLST)

Comment Actions gangleri wrote: Please watch [[Special:Log/newusers]] for abuse as long as this security gap is not closed. Comment Actions What security gap? These are not IP addresses, though they may somewhat resemble them in a vague way. Comment Actions gangleri wrote: The security gap consists in hijacking others contributions. [[en:User:200.191.188.xxx]] was created yesterday. But others people contributions are now contributions of this account. Probably this conflicts with wiki policy. see [[en:Special:Contributions/200.191.188.xxx]] Best regards Reinhardt [[user:gangleri]] Comment Actions gangleri wrote: addendum a) There might be other cases in [[en:]] its sisterprojects or projects in other languages. b) Some have more contributions then required ford board votes (in the past). c) I have no clue what would happen if an anon user from IP range 200.191.188.xxx would tray to make some edits. Maybe xxx in 200.191.188.xxx is a historical issue. If it is not then 200.191.188.xxx is ambiguous now: it could be an anon user or it could be a logged in user with this user name. Such ambiguosities would not make life easier. Best regards Reinhardt [[user:gangleri]] Comment Actions avarab wrote: IP addresses has the form /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/ A logged in user does not match an IP address Where is the ambiguity? Comment Actions Looks like it matches old recorded anon bits from 2001 (UseMod obscured the final octet of the ip for anons, at least sometimes). Note that the same applies to any unclaimed UseMod-era account name. Comment Actions gangleri wrote: (In reply to comment #5) IP addresses has the form /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/ A logged in user does not match an IP address Where is the ambiguity? http://en.wikipedia.org/w/index.php?title=Wikipedia&action=history&limit=50&offset=20020821080640 shows three such "contributors". You may find these contributions also at [[en:Special:Contributions/130.94.122.xxx]] [[en:Special:Contributions/172.135.153.xxx]] [[en:Special:Contributions/216.126.89.xxx]] As I told item c) might be a historical issue and not an ambuguity any more. Comment Actions avarab wrote: Okey so some usemod usernames use account names that kind of look like IP addresses but should not be detected as such anywhere in the software, where's the critical security issue here? Comment Actions avarab wrote: FIXED the issue in HEAD (not in any other branches since other websites probably don't have stale usemod usernames running around), temp sysopped myself on enwiki and permbanned the users that used this bug.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4