Author: madrat
Description:
With ConfirmEdit you can whitelist URLs that you don't want to require a CAPTCHA using the MediaWiki:captcha-addurl-whitelist page. However you can't just whitelist a specific domain without a spammer being able to exploit it by adding the domain somewhere else in the URL.
For example: if you add wikimedia\.org to whitelist the wikimedia.org domain,
http://examplewikimedia.org/
http://wikimedia.org.example.com/
http://example.com/?http://wikimedia.org/
will all be able to bypass the CAPTCHA.
Version: unspecified
Severity: normal