Last modified: 2005-07-27 01:50:54 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T4977, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 2977 - Users should not be able to edit each other's javascript
Users should not be able to edit each other's javascript
Status: RESOLVED INVALID
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
unspecified
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-27 01:40 UTC by Omegatron
Modified: 2005-07-27 01:50 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Omegatron 2005-07-27 01:40:48 UTC 
Is it just me, or is the ability to edit another user's monobook.js file to
execute arbitrary code a huge security breach?

For instance, I was able to use my regular account to modify my test account to
load up the betterhistory script the next time I logged in:

http://en.wikipedia.org/w/index.php?title=User:Omegatron_test_account/monobook.js&action=history

by adding the line 

document.write('<script
src="http://gladstone.uoregon.edu/~chill1/betterhistory/betterhistory.js"><\/script>');

User:Colin Hill is all worried that you should check his page's history before
you copy and paste this line, since someone could edit his page and change the
line to their own script.  But they could just edit your user js themselves if
they wanted to do that!

"First, check this page's history to make sure you aren't installing something
else by mistake."

http://en.wikipedia.org/wiki/User:Colin_Hill/BetterHistory 

I'm going to mark this as super-bad so people see it, and not going to mention
it anywhere else.  If I'm being paranoid and don't know what I'm talking about,
just downgrade it and yell at me that I'm an idiot and need to RTFM or whatever.
Comment 1 Omegatron 2005-07-27 01:42:35 UTC 
Oh this is just because I'm an admin isn't it?

Whoops.
Comment 2 ABCD 2005-07-27 01:44:20 UTC 
One cannot edit another user's monobook.js unless one is a sysop.
Comment 3 Omegatron 2005-07-27 01:50:54 UTC 
(In reply to comment #2)
> One cannot edit another user's monobook.js unless one is a sysop.

I just figured that out.  Sorry.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links