Hi!
Im developing a MediaWiki extension and use the MediaWiki API for bulk import of some files.
I usually log in with a Bot password into the API, but when I used wrong credentials, I still managed to edit pages and such. I was very confused and checked the CSRF token.
With CSRFTOKEN="+\\" I managed to log in and use API functions. I'm not sure if this is expected behavior.
I also checked out the real Wikipedia and was successful in editing a page. To reproduce, you can use this python script:
import requests URL = 'https://en.wikipedia.org/w/api.php' S = requests.Session() text = open('text.txt','r').read() PARAMS = {'action':'edit','title':'Hocuspocus_(1930_film)','token':'+\\','format':'json','text':text} R = S.post(url=URL,data=PARAMS) print(R.json())
You need to put some text in the text.txt file and if it passes Wikipedia's abuse filters you will successfully edit the page.
Im not sure if this is actually a security flaw or some kind of expected behavior. I'm sorry if I am wasting your time.
Kind Regards,
Oliver Tautz