A request to Special:MyPage/ccvhjhdkjvkvkhjhkvkjvdh appears in the pagecounts as a visit to User:Xavier_Combelle/ccvhjhdkjvkvkhjhkvkjvdh by making a browser calling such a special page, (for example via an iframe or an embedded image or an ajax call) and by afterwards consulting the pagecounts an external site can know that my login is Xavier_Combelle and eventually correlate it with the ip or any personal information it has on me.
As I thought about a way to the best way to solve this issue would be to make a soft redirect instead of an hard one.
patches:
- master: +
- 1.23 - included in
- 1.24 - included in
- 1.25 - included in
- 1.26 - included in
CVE: CVE-2015-8628