[Bug 43646] New: Copyright allows raw html which can be used by rouge admins to enforce logout of everyone

bugzilla-daemon Fri, 04 Jan 2013 16:53:35 -0800

https://bugzilla.wikimedia.org/show_bug.cgi?id=43646


       Web browser: ---
            Bug ID: 43646
           Summary: Copyright allows raw html which can be used by rouge
                    admins to enforce logout of everyone
           Product: MediaWiki
           Version: 1.21-git
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: Unprioritized
         Component: General/Unknown
          Assignee: [email protected]
          Reporter: [email protected]
    Classification: Unclassified
   Mobile Platform: ---

[[MediaWiki:Copyright]] still allows raw html input which can be maliciously
used by rouge admins by adding <img
src="http://my_host/index.php?title=Special:UserLogout"/> to 
[[MediaWiki:Copyright]] so everyone will be forcefully logged out.

Did talk to the security responsible dude an age ago (one year ago approx), but
nothing seems to have been done to address this issue, nor has any bug been
written.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

[Bug 43646] New: Copyright allows raw html which can be used by rouge admins to enforce logout of everyone

Reply via email to