Trac ticket system susceptible to redirects
Trac 0.10b1 ticket system by Edgewall Software is susceptible to spammy redirects.
Check out this ticket (Update: The administrator removed the attachments) on the lighthttpd site.
Two of the attachments are placed by spammers.
When ?format=raw is placed behind the URL, the redirects work. And that’s what the spammers spamvertize.
In this case, the spammers seem to use regular javascripts on another host to do the redirect.
The developers have been notified.
Check out the scope of the problem by using this Google search.
September 7th, 2006 at 9:01 am
Trac has an option called “render_unsafe_content” that is disabled by default. If it is disabled, Trac will not render an attachment, but rather add a `Content-Disposition: attachment` header that forces browser to download the file instead of displaying it. That option was added in Trac 0.9.3.
Thus a redirect in an attachment should not be working unless (a) aforementioned option is enabled in the configuration (which is only recommended for closed environments), or (b) it doesn’t work correctly in some cases. I have not yet experienced the latter myself, so I think (a) is the issue here, which means it would boil down to a misconfiguration on the lighttpd site and other deployments of Trac.