Author: etdp01
Description:
1.17 has a new feature that allows tacking a query string onto the usual Special:Random syntax, resulting in loading an URL that combines the randomly-selected page name and the query string. This feature is not at all well thought-out; it can be used to construct an auto-vandalism URL to post anywhere you like on the Web, resulting in distributed mass-vandalism. Likewise a smart vandal can copy-and paste a handcrafted URL many times to vandalize many pages quickly. There are other bad things you can automate with this as well. I'm not going to post an example URL here, but any developer should feel free to mail me if you want one. Please disable this.
Version: 1.17.x
Severity: major