The Special:Userlogin forms for login and account creating is not token
protected with a session, which caused bug 23076. However, r64677 only
fixed it for login (which is the most critical due to $wgAllowUserJs).
The hole remains for "E-mail me my password", "Create account" and
"Create by e-mail", with the following abuse cases:
*For wikis allowing public account creation, an attacker could create
many accounts via proxying users, avoiding ip blocks, the anon gets
logged in (wikis using ConfirmEdit to request a captcha for createaccount
are protected from this).
*If the victims were logged users, the attacker could create the
accounts by email and flood innocent parties using the wiki as gateway.
*If the victim was a sysop, the attacker could not only bypass the
captcha protection, but also the username blacklist.
*It also provides a way to bypass the blocks and ping limit for sending
many password resets flooding its targets.
*On private wikis an account creation by targeting a sysop may expose
confidential information.
Version: 1.16.x
Severity: critical