Foswiki checks all requests it receives from browsers, and tries to check that the persons using the browsers intentionally sent them.
An evil person may try to use your login identity to change content in your wiki without your knowledge.
The attacker tries to use your rights to get things, like admin rights for the site.
This is also known as Cross-site Request Forgery, or CSRF.
In a possible scenario, an evil person has left a link to seduce you to visit a page on http://crime.org, which has some clever javascript on it.
Their intention is to automatically save compromising data by sending a request to your server, using your browser and your identity.
If Foswiki detects a suspicious request that may have been sent from such a page, then you are asked to confirm the request.
The checks performed by Foswiki can sometimes be triggered when you do something perfectly innocent, for instance if you click the Back button after saving a page. Foswiki then uses the approach "better safe than sorry".
You
Webserver running Foswiki
Who is requesting this, actually?
You
Evil person
Webserver running Foswiki
Not sure this is right, please confirm!
Confirmation required! Press OK to confirm this change was intentional
Press Cancel otherwise
Ah, no!
Ehm, let me go back to correct the page...
Webserver running Foswiki
Confirmation required! Press OK to confirm this change was intentional
Press Cancel otherwise
OK, this is still me!
Note: you must have Cookies and Javascript enabled in your browser to get past this screen. This is normally the case, but if something doesn't work, this is where to look first.
26 Dec 2024 - 12:08 | Foswiki v2.0.2 |