Last modified: 2005-02-25 05:59:04 UTC
BUG MIGRATED FROM SOURCEFORGE http://sourceforge.net/tracker/index.php?func=detail&aid=842921&group_id=34373&atid=411192 Originally submitted by Brion Vibber (vibber)<a href="/help/icon_legend.php?context=user_wantsdonations&user_id=446709&return_to=%2F"><IMG src="http://images.sourceforge.net/images/icons/donate.png" alt="Accepting Donations" border="0" width="16" height="16"></a> 2003-11-16 00:29 Most form-handling code in the wiki doesn't actually check whether its stuff came via a GET or POST request. For the most part this isn't a big deal, but for admin actions that have confirmation screens, it's probably not a good idea. It's possible for instance to craft a URL that will delete a page or ban an IP address and trick a sysop into loading it (possibly disguised as an inline image, hidden iframe or other secondary URL) and performing the action. It's more difficult to fake a POST request, although still possible; checking the referrer header to avoid constructed forms on other sites (potentially autosubmitted via javascript) might be a step to counter this.
Most POSTable forms now check $wgRequest->wasPosted(), and admin & editing forms protect against off-site form submissions with a session-based token key. Resolving as FIXED.
