Page MenuHomePhabricator
Create Task
Maniphest T29261

Disable passing query strings through Special:Random
Closed, InvalidPublic
Actions

Description

Author: etdp01

Description:
1.17 has a new feature that allows tacking a query string onto the usual Special:Random syntax, resulting in loading an URL that combines the randomly-selected page name and the query string. This feature is not at all well thought-out; it can be used to construct an auto-vandalism URL to post anywhere you like on the Web, resulting in distributed mass-vandalism. Likewise a smart vandal can copy-and paste a handcrafted URL many times to vandalize many pages quickly. There are other bad things you can automate with this as well. I'm not going to post an example URL here, but any developer should feel free to mail me if you want one. Please disable this.

Version: 1.17.x
Severity: major

Details

Reference
bz27261

Event Timeline

bzimport raised the priority of this task from to High.Nov 21 2014, 11:19 PM
bzimport added a project: MediaWiki-Special-pages.
bzimport set Reference to bz27261.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Feb 8 2011, 6:25 PM
Reedy added a comment.Feb 9 2011, 10:40 AM

See r65054

bzimport added a comment.Feb 9 2011, 10:45 AM

Bryan.TongMinh wrote:

All actions that could lead to vandalism require an edittoken. There is no way that from outside the wiki you can directly edit a page or something like that.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL