Tim Starling wrote:
It's possible for a malicious person to trick your browser into requesting the Special:Blockme address, e.g. with an image with its source set to Special:Blockme
Hmmm, that doesn't sound sensible, it's just too easy for someone to screw around with.
Is this right? All I need to do is have a cgi script on a web page that dynamically generates a link like this:
<img src=http://en.wikipedia.org/w/wiki.phtml?title=Special:Blockme&ip=xxx.xxx.xx...
where I substitute xxx.xxx.xxx.xxx with the victim's ip number?
So, on my User:EvilUser homepage I just write: "Sysops and wikipedians! Before you ban me or get upset with my actions, please read my explanation of my behavior at http://www.eviluser.com/wikipedia.cgi ! Thanks!"
Heh. But, not good.
This seems easy enough to fix. The link above should do nothing. If we're testing a proxy, we should try to get the client to request ...?title=Special:Blockme&validation=xxxxxxxxxxxxxxxx
where 'xxxxxxxxxxxxxx' is something that we can generate easily but that's difficult for User:EvilUser to duplicate.
--Jimbo