Last modified: 2008-05-30 17:14:21 UTC
It's possible to insert something into an article's text that allows you to put something on top of the links at the top right. If crafted properly, it can look similar enough to the real "Sign in / create account" link to potentially fool an inexperienced or careless user into visiting a fake login page hosted by a malicious user. Apologies for the page-widening testcase code (the spaces are necessary so that it looks right for logged-in users by hiding their other links): <span class="plainlinks" style="background: #EEEEEE; position: absolute; right: 0; top:-35px; font-weight: bold; z-index:5"> [http://google.com/ Sign in / create account]</span> This example does not work properly for Internet Explorer, but it's probably possible to get that working too.
Confirm that it works under FF1.5, see [http://wiki.epstone.net/w/index.php?title=Home_Page&oldid=2918].
This can be maliciously added to any page (other than the main page), and might not be immediately evident to vandal-fighters. Bumping severity to major. What could we do about it, though?
I was going to suggest disallowing z-index but found out that's not even necessary. Would this really not be immediately evident to vandal-fighters? (Unless it's on a user page; that might go unnoticed...)
Yeah, I overreacted. Any large-scale attempt at this would be spotted quite quickly. Still should be fixed *if* anyone can think of any way to do it without shutting out legitimate uses. Restricting content to the content box is probably a good idea from a security perspective.
Dan, what about giving the real link a higher z-index and then disallowing it for article contents? For browsers that understand z-index, that seems like it might help. Alternately, what about disallowing negative positions? That would make anything above or to the left of the article content safe, while only causing trouble for people who want to do really really convoluted layouts.
*** This bug has been marked as a duplicate of bug 8679 ***
