Last modified: 2010-05-01 20:18:56 UTC
The Special:Userlogin forms for login and account creating is not token protected with a session, which caused bug 23076. However, r64677 only fixed it for login (which is the most critical due to $wgAllowUserJs). The hole remains for "E-mail me my password", "Create account" and "Create by e-mail", with the following abuse cases: *For wikis allowing public account creation, an attacker could create many accounts via proxying users, avoiding ip blocks, the anon gets logged in (wikis using ConfirmEdit to request a captcha for createaccount are protected from this). *If the victims were logged users, the attacker could create the accounts by email and flood innocent parties using the wiki as gateway. *If the victim was a sysop, the attacker could not only bypass the captcha protection, but also the username blacklist. *It also provides a way to bypass the blocks and ping limit for sending many password resets flooding its targets. *On private wikis an account creation by targeting a sysop may expose confidential information.
Fixed on r65760