https://bugzilla.wikimedia.org/show_bug.cgi?id=33055
Web browser: ---
Bug #: 33055
Summary: (ClickTracking) API is a wide open for database
flooding.
Product: MediaWiki extensions
Version: any
Platform: All
OS/Version: All
Status: NEW
Keywords: tracking
Severity: major
Priority: Unprioritized
Component: [other]
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
ClickTracking API will accept any token, any number of times.
This could be a potential nightmare as anyone can send any number of requests
to this API, same token or not. As long as the required parameters are set, it
will log each request in the database under click_tracking &
click_tracking_events (if the eventid is not already in the table) Thus,
potentially creating 2 records per request.
Reproduce with:
http://en.wikipedia.org/w/api.php?action=clicktracking&eventid=test&token=3w6hX0q2qUgQTe4I0XzaggpeH2493KsaE&redirectto=/wiki/User_talk:Robmoen&additional=Is_this_Wide_Open&namespacenumber=3
Possible solution would be to require ClickTracking to require a secure, one
time use only token, as current 32 character token is only used for analytical
purposes.
--
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
