https://bugzilla.wikimedia.org/show_bug.cgi?id=25793
--- Comment #5 from Marooned <[email protected]> 2010-11-05 12:08:27 UTC --- This cookie is httponly so using document.cookie won't allow you to get it. The API call makes it possible. CSRF allows evil admin to run unprotected actions - such actions should be fixed (by require token for example). The bug mentioned here allows you not only to run unprotected action but take over the whole account and fixing it sounds reasonably. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
