Last modified: 2008-05-30 17:14:21 UTC
It's possible to insert something into an article's text that allows you to put
something on top of the links at the top right. If crafted properly, it can
look similar enough to the real "Sign in / create account" link to potentially
fool an inexperienced or careless user into visiting a fake login page hosted by
a malicious user.
Apologies for the page-widening testcase code (the spaces are necessary so that
it looks right for logged-in users by hiding their other links):
<span class="plainlinks" style="background: #EEEEEE; position: absolute; right:
0; top:-35px; font-weight: bold;
[http://google.com/ Sign in / create account]</span>
This example does not work properly for Internet Explorer, but it's probably
possible to get that working too.
Confirm that it works under FF1.5, see
This can be maliciously added to any page (other than the main page), and might
not be immediately evident to vandal-fighters. Bumping severity to major. What
could we do about it, though?
I was going to suggest disallowing z-index but found out that's not even necessary.
Would this really not be immediately evident to vandal-fighters? (Unless it's on
a user page; that might go unnoticed...)
Yeah, I overreacted. Any large-scale attempt at this would be spotted quite
quickly. Still should be fixed *if* anyone can think of any way to do it
without shutting out legitimate uses. Restricting content to the content box is
probably a good idea from a security perspective.
Dan, what about giving the real link a higher z-index and then disallowing it
for article contents? For browsers that understand z-index, that seems like it
Alternately, what about disallowing negative positions? That would make
anything above or to the left of the article content safe, while only causing
trouble for people who want to do really really convoluted layouts.
*** This bug has been marked as a duplicate of bug 8679 ***