gangleri wrote:

Please watch [[Special:Log/newusers]] for abuse as long as this security gap is
not closed.

What security gap? These are not IP addresses, though they may somewhat resemble
them in a vague way.

gangleri wrote:

The security gap consists in hijacking others contributions.

[[en:User:200.191.188.xxx]] was created yesterday. But others people
contributions are now contributions of this account. Probably this conflicts
with wiki policy.

see [[en:Special:Contributions/200.191.188.xxx]]

Best regards Reinhardt [[user:gangleri]]

gangleri wrote:

addendum

a) There might be other cases in [[en:]] its sisterprojects or projects in other
languages.
b) Some have more contributions then required ford board votes (in the past).
c) I have no clue what would happen if an anon user from IP range
200.191.188.xxx would tray to make some edits. Maybe xxx in 200.191.188.xxx is a
historical issue. If it is not then 200.191.188.xxx is ambiguous now: it could
be an anon user or it could be a logged in user with this user name. Such
ambiguosities would not make life easier.

Best regards Reinhardt [[user:gangleri]]

avarab wrote:

• IP addresses has the form /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/
• A logged in user does not match an IP address

Where is the ambiguity?

Looks like it matches old recorded anon bits from 2001 (UseMod obscured the final octet
of the ip for anons, at least sometimes). Note that the same applies to any unclaimed
UseMod-era account name.

gangleri wrote:

(In reply to comment #5)

• IP addresses has the form /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/
• A logged in user does not match an IP address

Where is the ambiguity?

http://en.wikipedia.org/w/index.php?title=Wikipedia&action=history&limit=50&offset=20020821080640
shows three such "contributors". You may find these contributions also at
[[en:Special:Contributions/130.94.122.xxx]]
[[en:Special:Contributions/172.135.153.xxx]]
[[en:Special:Contributions/216.126.89.xxx]]
As I told item c) might be a historical issue and not an ambuguity any more.

avarab wrote:

Okey so some usemod usernames use account names that kind of look like IP
addresses but should not be detected as such anywhere in the software, where's
the critical security issue here?

gangleri wrote:

(In reply to comment #8)

where's the critical security issue here?

It is not trivial to log in as [[User:Ævar Arnfjörð Bjarmason]]. But it is easy
to log in as usemod usernames:
http://en.wikipedia.org/w/index.php?title=User:216.126.89.xxx&action=history

All [[Special:Contributions/216.126.89.xxx]] belong now to this "user".

avarab wrote:

FIXED the issue in HEAD (not in any other branches since other websites probably
don't have stale usemod usernames running around), temp sysopped myself on
enwiki and permbanned the users that used this bug.

gangleri wrote:

Thank you Ævar! Regards Reinhardt