Impact
Affects all users on any wiki using this extension. Any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as whitespace and trimmed by MediaWiki.
Patches
Since version 1.1, comments by users whose usernames would be trimmed on MediaWiki are ignored when searching for the verification code.
Workarounds
- Disable the extension (remove
wfLoadExtension( 'ScratchLogin' ) or wfLoadExtension( 'mediawiki-scratch-login' ))
- If you still want to use the extension, update your version of the extension now.
shpdg Analyst
jacob-g Analyst
apple502j Analyst
Kenny2github Analyst
Impact
Affects all users on any wiki using this extension. Any account can be logged into by using the same username with leading, trailing, or repeated underscore(s), since those are treated as whitespace and trimmed by MediaWiki.
Patches
Since version 1.1, comments by users whose usernames would be trimmed on MediaWiki are ignored when searching for the verification code.
Workarounds
wfLoadExtension( 'ScratchLogin' )orwfLoadExtension( 'mediawiki-scratch-login' ))