Last modified: 2005-07-27 01:50:54 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 2977 - Users should not be able to edit each other's javascript
Users should not be able to edit each other's javascript
Product: MediaWiki
Classification: Unclassified
User login and signup (Other open bugs)
All All
: Normal normal (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2005-07-27 01:40 UTC by Omegatron
Modified: 2005-07-27 01:50 UTC (History)
0 users

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Omegatron 2005-07-27 01:40:48 UTC
Is it just me, or is the ability to edit another user's monobook.js file to
execute arbitrary code a huge security breach?

For instance, I was able to use my regular account to modify my test account to
load up the betterhistory script the next time I logged in:

by adding the line 


User:Colin Hill is all worried that you should check his page's history before
you copy and paste this line, since someone could edit his page and change the
line to their own script.  But they could just edit your user js themselves if
they wanted to do that!

"First, check this page's history to make sure you aren't installing something
else by mistake." 

I'm going to mark this as super-bad so people see it, and not going to mention
it anywhere else.  If I'm being paranoid and don't know what I'm talking about,
just downgrade it and yell at me that I'm an idiot and need to RTFM or whatever.
Comment 1 Omegatron 2005-07-27 01:42:35 UTC
Oh this is just because I'm an admin isn't it?

Comment 2 ABCD 2005-07-27 01:44:20 UTC
One cannot edit another user's monobook.js unless one is a sysop.
Comment 3 Omegatron 2005-07-27 01:50:54 UTC
(In reply to comment #2)
> One cannot edit another user's monobook.js unless one is a sysop.

I just figured that out.  Sorry.

Note You need to log in before you can comment on or make changes to this bug.