[pmwiki-devel] PITS/01030

[Greg Grimes]

Well, that's the 50 million dollar question now isn't it?  If I was an attacker,
I would send a malicious link to people who regularly visit a website that uses
Thumblist2.  Just do a google search for inurl:Thumblist2 and you have at least
one that comes up.  But this isn't really about your site, this about any site
that uses PmWiki.  For example, I work for a university.  If someone wanted
they could make a very legitimate looking link that points to our wiki page. 
Because the URL would have msstate.edu in it, a lot of people would feel that
there isn't  anything wrong with the link and click it. If only a handful fall
for it, well...that's a handful of bot computers they just got.  Not everyone
uses Firefox or Opera.

As for not following the proper notification path for this, I am sorry.  I am
new to the PmWiki development world.  I did e-mail Patrick about the issue
after Hans told me I should.  Patrick responded and said it would be fixed a
new release sometime today, 26 Jun 2008.

Quoting Petko Yotov <5ko at 5ko.fr>:
> which keeps me wondering why would an attacker use my site and what exactly
> can he get from this.