[Foundation-l] Malicious user javascript
Brion Vibber
brion at pobox.com
Tue May 24 01:12:26 UTC 2005
kelvSYC wrote:
> First of all, I hope that you can forward it off to wikitech, but it
> seems that a malicious user at Wikibooks used their user JS to do some
> page move vandalism (see [[b:en:User:Vandel Damon/monobook.js]] for the
> JS in question). It's not much of a security loophole as it is
> undesirable for the wiki community, seeing that a lot of people would
> have to undo a lot of page moves.
>
> If there was some way in the back end to prevent this, it would be
> appreciated.
There's nothing malicious you can do from *your own* user javascript
that you can't do from a different form of client-side script or bot.
In interactions between the server and a client, JavaScript is exactly
equivalent to user-performed actions and non-browser bots.
Even if we tried to place restrictions on user JavaScript or disable it
entirely, there is no way to protect against that distinct from general
restrictions on submissions from some user. The malicious user could
trivially substitute JavaScript that comes from their local machine or
another source, a modifying proxy to insert it, or use a different
client-side tool to perform equivalent processing.
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 253 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/foundation-l/attachments/20050523/29541571/attachment-0001.pgp
More information about the foundation-l
mailing list