https://bugzilla.wikimedia.org/show_bug.cgi?id=19161
--- Comment #6 from Platonides <[email protected]> 2009-06-11 22:33:46 UTC --- The site http://austinhair.org/guess/ is a good example in-the-wild. It has been promoted in mailing lists, irc, looks like a funny app and sends you to rarely used wikis with the user knowing about it. If the site operator decides to correlate the logs, he will get lots of wikimedian ips. (In reply to comment #4) > I am not very well versed in web security, but from what I have found with a > search engine, there existed exploits in the past for browsers as well as > media > plugins to redirect users to websites with a fake referer. The general opinion > seems to be that it is not good security practice to rely on the referer not > being tampered with. {{reference-needed}} An evil guy can easily use a fake referer, but a legitimate user would provide the right one (or none at all). It could be bypassed with things like clickjacking, though. (In reply to comment #5) > Malicious remote websites could still force visitors to POST to Wikimedia. A > simple <form> with someformelement.click() would do nicely. It'd obviously also use a token. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
