https://bugzilla.wikimedia.org/show_bug.cgi?id=25793
Roan Kattouw <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |INVALID --- Comment #3 from Roan Kattouw <[email protected]> 2010-11-05 11:57:33 UTC --- Hmm, on second thought, this isn't a security issue at all. Reverted r76077 in r76080. The only way an attacker can read the echoed session ID is if they can request it using JS running on the same domain (evil admin scenario, like you said). Cross-domain, it won't work. And if the attacker can run JS on the same domain, they can do much worse things already (e.g. bypass the CSRF safeguards and edit things as you), most notably access our cookies directly without needing the API to echo them back at them. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
