On 10/26/07, Edward Chernenko <[EMAIL PROTECTED]> wrote: > 2 SELECT page_namespace FROM page WHERE page_title=? ORDER BY page_namespace > (this list may be written into mysql table). > > User can inflict query by accessing some script common for all > queries, which would find query by it's number (query_id) and print > HTML form on GET (with textfields instead of placeholders) or results > on POST.
Permitting anonymous users to scan the page table seems like a pretty good DoS vector for whatever server is being sacrificed for this. _______________________________________________ Toolserver-l mailing list [email protected] http://lists.wikimedia.org/mailman/listinfo/toolserver-l
