Vulnerability found in CheckUser

For WMF employee / slave nonsense, developer hijinks, and MediaWiki and related software screw-ups.
Post Reply
User avatar
Bbb23sucks
Sucker
Posts: 1402
Joined: Fri Jan 06, 2023 9:08 am
Location: The Astral Plane
Has thanked: 1467 times
Been thanked: 294 times

Vulnerability found in CheckUser

Post by Bbb23sucks » Sat Apr 22, 2023 8:42 pm

https://nvd.nist.gov/vuln/detail/CVE-2023-29139

Unfortunately, this only appears to work IF you have CheckUser access.
"Globally banned" since September 5, 2023 for exposing harassment.

User avatar
boredbird
Sucks Mod
Posts: 607
Joined: Wed Jul 26, 2017 3:24 am
Has thanked: 759 times
Been thanked: 359 times

Re: Vulnerability found in CheckUser

Post by boredbird » Sat Apr 22, 2023 10:13 pm

Bbb23sucks wrote:
Sat Apr 22, 2023 8:42 pm
https://nvd.nist.gov/vuln/detail/CVE-2023-29139

Unfortunately, this only appears to work IF you have CheckUser access.
I noticed this myself while checkusering a bunch of people with my Wikipedia account.

User avatar
Bbb23sucks
Sucker
Posts: 1402
Joined: Fri Jan 06, 2023 9:08 am
Location: The Astral Plane
Has thanked: 1467 times
Been thanked: 294 times

Re: Vulnerability found in CheckUser

Post by Bbb23sucks » Sat Apr 22, 2023 10:22 pm

boredbird wrote:
Sat Apr 22, 2023 10:13 pm
Bbb23sucks wrote:
Sat Apr 22, 2023 8:42 pm
https://nvd.nist.gov/vuln/detail/CVE-2023-29139

Unfortunately, this only appears to work IF you have CheckUser access.
I noticed this myself while checkusering a bunch of people with my Wikipedia account.
Me too, though it was on my WMF account.
"Globally banned" since September 5, 2023 for exposing harassment.

User avatar
ericbarbour
Sucks Admin
Posts: 4932
Joined: Sat Feb 25, 2017 1:56 am
Location: The ass-tral plane
Has thanked: 1283 times
Been thanked: 2025 times

Re: Vulnerability found in CheckUser

Post by ericbarbour » Sat Apr 22, 2023 11:39 pm

It's "nice" to know that MediaWiki is still riddled with bugs that go back 15-20 years. We need these occasional reminders of how screwed-up their Magical Software is. And remains, despite about 18 years of employing coders on actual salaries to "fix" things.

User avatar
Bbb23sucks
Sucker
Posts: 1402
Joined: Fri Jan 06, 2023 9:08 am
Location: The Astral Plane
Has thanked: 1467 times
Been thanked: 294 times

Re: Vulnerability found in CheckUser

Post by Bbb23sucks » Sun Apr 23, 2023 12:32 am

ericbarbour wrote:
Sat Apr 22, 2023 11:39 pm
It's "nice" to know that MediaWiki is still riddled with bugs that go back 15-20 years. We need these occasional reminders of how screwed-up their Magical Software is. And remains, despite about 18 years of employing coders on actual salaries to "fix" things.
This one was actually fixed rather quickly, though it only appears to apply to the latest alpha of MediaWiki. But anything that isn't big enough to immediately crash their site will likely remain unfixed for 15+ years. Even if it is fixed, it will probably be fixed by an unpaid volunteer. What are they even paying their devs for?
"Globally banned" since September 5, 2023 for exposing harassment.

User avatar
ericbarbour
Sucks Admin
Posts: 4932
Joined: Sat Feb 25, 2017 1:56 am
Location: The ass-tral plane
Has thanked: 1283 times
Been thanked: 2025 times

Re: Vulnerability found in CheckUser

Post by ericbarbour » Sun Apr 23, 2023 3:08 am

Bbb23sucks wrote:
Sun Apr 23, 2023 12:32 am
What are they even paying their devs for?
You can ask them, but you will NEVER get a straight answer. And unless you're a prominent jornalist or writer, they would probably ignore your question completely. Great at stonewalling people--not so good at code development.

User avatar
Bbb23sucks
Sucker
Posts: 1402
Joined: Fri Jan 06, 2023 9:08 am
Location: The Astral Plane
Has thanked: 1467 times
Been thanked: 294 times

Re: Vulnerability found in CheckUser

Post by Bbb23sucks » Sat Jan 13, 2024 11:24 am

Oh look, they are *FINALLY* addressing it: https://gerrit.wikimedia.org/r/c/mediaw ... r/+/989527

Edit: Nevermind, that's a separate, new vulnerability.
"Globally banned" since September 5, 2023 for exposing harassment.

Post Reply