We've just had some penetration tests done and I'm following up the report. One issues raised was the running of the following url without any authentication in IE7 (see attached)
This successfully launches a js window and it has been flagged as a hole that a hacker could use to try other payloads and access user cookies and other XSS style attacks.
The variable id doesn't seem to matter - this is not a param filtering issue because $id isn't a variable in the page and you can pass in any variable name you like there.
However the same technique does not work on /login/index.php
Can anyone shed any more light on this issue for me? Is this something I should add to the Moodle Tracker?
thanks for everybody's help so far,