El uso de URLs "no" en la página de Términos de Servicio

LogoiLab · 13 Diciembre, 2021 06:19

I have found a potentially concerning issue with the Terms Of Service Page on all discourse installs (including try.discourse.org).

The ToS section 7. Content Posted on Other Websites contains links to non-currentdomain.tld These links are clickable because they are parsed just like any other post.

This allows for domain-squatting unregistered non-currentdomain.tld in some cases. A good example of this is https://forum.openwrt.org/tos#5

As a proof of point, I have registered non-openwrt.org.

You can see my “detailed” write-up here: ComputeCode - Non-OpenWrt

I did not see this bug as worthy of a security bounty. But if you would like this submitted as one please let me know.

itsbhanusharma · 13 Diciembre, 2021 06:54

Can’t repro this on a new install, Looks like this is only available on Pre-GDPR era sites that were set up with old privacy policy and terms of service templates.

Tema		Respuestas	Vistas
Settings/Legal alternative URLs are being ignored after update Bug	13	1169	8 Agosto 2022
Pre seeded posts all missing - Missing Terms of Service, FAQ and Privacy pages Support	36	3302	26 Junio 2020
Left-clicking same-domain links to URLs not on the whitelist is broken Feature	7	3098	17 Enero 2017
Require_accept_tos_for_new_users options Dev	4	59	9 Marzo 2025
Removing the /2, /3, /4, etc links for each reply within a topic URL Dev seo	33	4083	13 Octubre 2024

El uso de URLs "no" en la página de Términos de Servicio

Temas relacionados