https://bugzilla.wikimedia.org/show_bug.cgi?id=25793
--- Comment #6 from Roan Kattouw <[email protected]> 2010-11-05 12:21:44 UTC --- (In reply to comment #5) > This cookie is httponly so using document.cookie won't allow you to get it. You're right about that, my mistake. > The > API call makes it possible. Yes, but it doesn't matter much, see below. > CSRF allows evil admin to run unprotected actions - such actions should be > fixed (by require token for example). > Yes, and we do require tokens. Tokens prevent CROSS-site scripting, but they can't protect against SAME-site scripting. Once the attacker has JS running on the same site, they can edit as you, create/move/delete pages at you, etc., etc., and we can't protect against that. So in practice, they've already taken over your account, and they can take it over for real by changing your e-mail address, using the "I forgot my password" feature to reset the password, then logging you out. > The bug mentioned here allows you not only to run unprotected action but take > over the whole account and fixing it sounds reasonably. Stealing someone's cookies does allow you to take over their account, but once you're running JS from the same domain you can already do the same thing without needing the cookie data. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
