Recent Changes page escapes a link to an external website.
Closed, ResolvedPublic
Actions

Assigned To

None

Authored By

	• bzimport
	Nov 27 2006, 2:30 AM

Description

Author: webmaster

Description:
I am not sure how to report this, but somehow someone was able to create an
artificial link to an external website.

The 'article' tab at the top of the article actually links to an external
website, as well.

Is this simply an text escaping bug, or could it be the lead-in to a malicious
exploit?

Some links:

(Scroll to the end of recent changes in the 3rd link.)

Version: unspecified
Severity: major
URL: http://www.marveldatabase.com/index.php?title=Special:Contributions&target=U53rn4m3

• bzimport raised the priority of this task from to Medium.Nov 21 2014, 9:30 PM

• bzimport set Reference to bz8046.

• bzimport added a subscriber: Unknown Object (MLST).

Your site configuration is a little fragile, with articles
placed directly at the root URL. (I recommend against this for
many reasons.)

Pages starting with "/" thus end up with local URL paths
starting with "//", which some browsers may interpret similarly
to "http://".

See the linked patch on bug 98 for how to disable all pages
beginning with "/".

Going to go ahead and dupe this to bug 98, since the bogus "/"
is the issue.

webmaster wrote:

Thanks Brion,

I spotted that extra / after I posted, but I wanted to make sure there was
nothing security related, so I left the bug open for you to review.

Thanks.