[WikiEN-l] Re: Why am I blocked ?
Jimmy Wales
jwales at bomis.com
Fri Apr 2 09:10:20 UTC 2004
Tim Starling wrote:
> It's possible for a malicious person to trick your browser into
> requesting the Special:Blockme address, e.g. with an image with its
> source set to Special:Blockme
Hmmm, that doesn't sound sensible, it's just too easy for someone to
screw around with.
Is this right? All I need to do is have a cgi script on a web page
that dynamically generates a link like this:
<img src=http://en.wikipedia.org/w/wiki.phtml?title=Special:Blockme&ip=xxx.xxx.xxx.xxx>
where I substitute xxx.xxx.xxx.xxx with the victim's ip number?
So, on my User:EvilUser homepage I just write: "Sysops and
wikipedians! Before you ban me or get upset with my actions, please
read my explanation of my behavior at
http://www.eviluser.com/wikipedia.cgi ! Thanks!"
Heh. But, not good.
This seems easy enough to fix. The link above should do nothing. If
we're testing a proxy, we should try to get the client to request
...?title=Special:Blockme&validation=xxxxxxxxxxxxxxxx
where 'xxxxxxxxxxxxxx' is something that we can generate easily but
that's difficult for User:EvilUser to duplicate.
--Jimbo
More information about the WikiEN-l
mailing list