Last modified: 2006-02-22 21:10:14 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 4083 - Special:Validation doesn't check wpEditToken
Special:Validation doesn't check wpEditToken
Product: MediaWiki
Classification: Unclassified
Special pages (Other open bugs)
All All
: Normal critical (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2005-11-26 01:20 UTC by David Remahl
Modified: 2006-02-22 21:10 UTC (History)
1 user (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description David Remahl 2005-11-26 01:20:12 UTC
Parts of the validation mechanism is restricted to bureaucrats. Several parts of the facility do not check for a valid 
wpEditToken, making it vulnerable to cross-site request forgery (CSRF). Basically, by tricking a privileged user into 
clicking on a link or submitting a malicious form, someone could for example change the set of topics.
Comment 1 Antoine "hashar" Musso (WMF) 2006-01-08 19:16:32 UTC
Added a token in HEAD. Not sure if it's worthfull as it seems
the page from Special pages :(
Comment 2 Rob Church 2006-02-22 21:10:14 UTC
Referenced special page has been removed from CVS; the validation feature as
described is no longer present.

Note You need to log in before you can comment on or make changes to this bug.