Nicolas Brouard INED schrieb:
Then, just try to enter your e-mail on a standard wiki in place of your username and you will be authenticated to the first ID (and user_name) having your e-mail.
Great Idea!
If someone could test this patch above and report the security issues as well as performances, it could be great for us.
No idea about PHP and performance, but a possible security hole: Are there any system messages that output the username when failing to login? If these messages would use the username from the database query (because of normalizing or something?) and not from $_POST, you could find out users' email adresses.
Bergi _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
