Last modified: 2005-07-27 01:50:54 UTC
Is it just me, or is the ability to edit another user's monobook.js file to
execute arbitrary code a huge security breach?
For instance, I was able to use my regular account to modify my test account to
load up the betterhistory script the next time I logged in:
by adding the line
User:Colin Hill is all worried that you should check his page's history before
you copy and paste this line, since someone could edit his page and change the
line to their own script. But they could just edit your user js themselves if
they wanted to do that!
"First, check this page's history to make sure you aren't installing something
else by mistake."
I'm going to mark this as super-bad so people see it, and not going to mention
it anywhere else. If I'm being paranoid and don't know what I'm talking about,
just downgrade it and yell at me that I'm an idiot and need to RTFM or whatever.
Oh this is just because I'm an admin isn't it?
One cannot edit another user's monobook.js unless one is a sysop.
(In reply to comment #2)
> One cannot edit another user's monobook.js unless one is a sysop.
I just figured that out. Sorry.