Author: marco
Description:
patch
The edit part of the API accepts also request via GET; you can trick anonymous users to spam the wiki via giving them a link like [http://test.wikipedia.org/w/api.php?%61%63%74%69%6F%6E=%65%64%69%74&%74%69%74%6C%65=%55%73%65%72%3A%53%70%6C%61%72%6B%61&%73%75%6D%6D%61%72%79=%56%41%4E%44%41%4C%49%53%4D%21%21%31&%74%65%78%74=%62%69%74%65+%6D%65&%62%61%73%65%74%69%6D%65%73%74%61%6D%70=%32%30%30%38%30%35%32%33%32%31%33%35%32%39&%74%6F%6B%65%6E=%2B\].
A patch to require POST for editing is attached.
Version: unspecified
Severity: critical
Attached: