20 Dec 21:02
Re: POSSIBLE SECURITY FLAW IN INDEX.PHP (Cross-Scripting)
From: Brion Vibber <brion@...>
Subject: Re: POSSIBLE SECURITY FLAW IN INDEX.PHP (Cross-Scripting)
Newsgroups: gmane.science.linguistics.wikipedia.technical
Date: 2005-12-20 20:02:43 GMT
Subject: Re: POSSIBLE SECURITY FLAW IN INDEX.PHP (Cross-Scripting)
Newsgroups: gmane.science.linguistics.wikipedia.technical
Date: 2005-12-20 20:02:43 GMT
Tom Markle wrote:
> You need to take steps to prevent malicious scripting- currently various
> forms of
[snip]
> That runs locally and uses basic javascript to change the 'wpEdittime' var
> to a few seconds before current time could be used to coordinate disruptive
> attacks.
Client-side code is, naturally, not under our control, so there's not anything
to "prevent".
If you're referring to offsite form submissions automated with JavaScript, we
already have protection in place to prevent this for registered users. At most
it would be an annoyance for unregistered accounts as there's no security issue
-- you can already submit edits as an unregistered visitor.
Since the protection requires maintaining session state, requiring it for
anonymous editors would also cut out users who don't accept cookies.
> I know that it is a simple matter to fix entries, but it is a
> simpler matter to stick a
> if(getenv("HTTP_REFERER")='207.142.131.202'){}else{//fail handler}
> or similar line in the submit function.
Referrers are utterly unreliable: first, the client can always falsify them.
Second, requiring it will cut out anyone using a privacy proxy.
-- brion vibber (brion @ pobox.com)
_______________________________________________ Wikitech-l mailing list Wikitech-l@... http://mail.wikipedia.org/mailman/listinfo/wikitech-l
RSS Feed