Topic on Project:Support desk

[RESOLVED] $wgGroupPermissions not preventing spammers creating new pages

9
Graham Phillips 110 (talkcontribs)

http://www.svrwiki.com/ Version 1.24.1

I have put the following code in Local Settings .PHP

$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createpage'] = false;
$wgGroupPermissions['*']['createtalk'] = false;
$wgGroupPermissions['*']['writeapi'] = false;

$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['user']['createpage'] = false;
$wgGroupPermissions['user']['createtalk'] = false;

$wgGroupPermissions['Trustworthy'] = $wgGroupPermissions['user'];
$wgGroupPermissions['Trustworthy']['createpage'] = true;
$wgGroupPermissions['Trustworthy']['createtalk'] = true;

I have manually added all the known genuine contributors to the "Trustworthy" group. I have created a dummy non-admin account for myself to test it and it works. As a non-trustworthy, non-admin, I can't create new pages. We are still getting spammers creating new pages though. How are they getting through and how do we stop them please?

Graham Phillips 110 (talkcontribs)

I just read the comments below about Magic Words.
Sorry if I sounded a bit abrupt too. I'm getting impatient with having to spend so much time deleting spam and trying to prevent it and I shouldn't be taking it out on those who I'm hoping will help me.

Ciencia Al Poder (talkcontribs)

I wonder if edits through the api could be circumventing this.

Do you have access to the access_log of the server to see what URLs are they using to edit pages, and see if they're using the api to edit?

Graham Phillips 110 (talkcontribs)

Thanks, I wondered that too, which is why I added $wgGroupPermissions['*']['writeapi'] = false;
They're still getting through, so I've added $wgGroupPermissions['user']['writeapi'] = false; as well now
I'm very much a beginner at all this and trying to pick it up as I go along. I'll see if I can work out how to access the access log.
It's hosted on GoDaddy if that makes any difference.

88.130.103.73 (talkcontribs)

@ Ciencia: Do you consider that a security hole? I think, it should not be possible to circumvent MediaWiki's permission system just by using the API...

Graham Phillips 110 (talkcontribs)

Another page created by a non "Trustworthy" new member this morning. www.svrwiki.com/Special:RecentChanges.
Is this a security hole? Is ours the only wiki affected, or is it a known problem?
$wgGroupPermissions doesn't seem to be doing what it's supposed to. It stops me when I try to create a new page with my own dummy non-admin account, but other people are obviously getting round it somehow.
Is there another setting I should change?

Ciencia Al Poder (talkcontribs)

The problem here is that even the owner is not able to reproduce the problem on his own test account, but spammers do. I don't see any not well-known extension listed on Special:Version which could have some security hole to allow creating such pages.

The only way to debug this is to see what kind of URL they're using to circumvent your settings, to try to reproduce the exact steps and see where's the hole. The only way I think they could circumvent this is if you have a wiki pointing to the same database under a different URL, with different LocalSettings.php that allow creating such pages.

94.197.121.146 (talkcontribs)

> The only way I think they could circumvent this is if you have a wiki pointing to the same database under a different URL, with different LocalSettings.php that allow creating such pages.

I'm another admin on the site, and thank you for this suggestion - it may well be the answer. After a review of the access logs, it appears that an older installation was still accessible and had been discovered by the spammers. After making that secure, we're still seeing a lot of traffic trying to access the site through the old address, but with no spam appearing in the last 24 hours or so.

Reply to "[RESOLVED] $wgGroupPermissions not preventing spammers creating new pages"