Page MenuHomePhabricator
Create Task
Maniphest T6083

Special:Validation doesn't check wpEditToken
Closed, InvalidPublic
Actions

Description

Author: david

Description:
Parts of the validation mechanism is restricted to bureaucrats. Several parts of the facility do not check for a valid
wpEditToken, making it vulnerable to cross-site request forgery (CSRF). Basically, by tricking a privileged user into
clicking on a link or submitting a malicious form, someone could for example change the set of topics.

Version: unspecified
Severity: critical

Details

Reference
bz4083

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 8:58 PM
bzimport added a project: MediaWiki-Special-pages.
bzimport set Reference to bz4083.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Nov 26 2005, 1:20 AM
hashar added a comment.Jan 8 2006, 7:16 PM

Added a token in HEAD. Not sure if it's worthfull as it seems
the page from Special pages :(

bzimport added a comment.Feb 22 2006, 9:10 PM

robchur wrote:

Referenced special page has been removed from CVS; the validation feature as
described is no longer present.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL