Last modified: 2008-05-24 08:38:26 UTC
Created attachment 4920 [details] patch The edit part of the API accepts also request via GET; you can trick anonymous users to spam the wiki via giving them a link like [http://test.wikipedia.org/w/api.php?%61%63%74%69%6F%6E=%65%64%69%74&%74%69%74%6C%65=%55%73%65%72%3A%53%70%6C%61%72%6B%61&%73%75%6D%6D%61%72%79=%56%41%4E%44%41%4C%49%53%4D%21%21%31&%74%65%78%74=%62%69%74%65+%6D%65&%62%61%73%65%74%69%6D%65%73%74%61%6D%70=%32%30%30%38%30%35%32%33%32%31%33%35%32%39&%74%6F%6B%65%6E=%2B\]. A patch to require POST for editing is attached.
Commited to SVN trunk, r35259 and r35260.
What the hell, I could've sworn I'd enabled mustBePosted there...