https://bugzilla.wikimedia.org/show_bug.cgi?id=25793

--- Comment #5 from Marooned <maroo...@wikia.com> 2010-11-05 12:08:27 UTC ---
This cookie is httponly so using document.cookie won't allow you to get it. The
API call makes it possible.
CSRF allows evil admin to run unprotected actions - such actions should be
fixed (by require token for example).

The bug mentioned here allows you not only to run unprotected action but take
over the whole account and fixing it sounds reasonably.

-- 
Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

_______________________________________________
Wikibugs-l mailing list
Wikibugs-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to