The use of "non" URLs on the ToS page

I have found a potentially concerning issue with the Terms Of Service Page on all discourse installs (including try.discourse.org).

The ToS section 7. Content Posted on Other Websites contains links to non-currentdomain.tld These links are clickable because they are parsed just like any other post.

This allows for domain-squatting unregistered non-currentdomain.tld in some cases. A good example of this is https://forum.openwrt.org/tos#5

As a proof of point, I have registered non-openwrt.org.

You can see my “detailed” write-up here: ComputeCode - Non-OpenWrt

I did not see this bug as worthy of a security bounty. But if you would like this submitted as one please let me know.

2 Likes

Can’t repro this on a new install, Looks like this is only available on Pre-GDPR era sites that were set up with old privacy policy and terms of service templates.

4 Likes