Additional cross-site scripting attacks possible in the login form.
Cross-site scripting attack in the login form
Authentication bypass allowing arbitrary code execution
CallLogDAO in SIP Plugin enables SQL Injection
I really wonder why it take so long to resolve this issue. Just ignoring the parsed parameters (everything behind the ?) would be fine to fix this issue.
Of course one would no longer be able to access URL's directly and to set the username but that's how other applications solve this issue.
Patience =) I aim to fix these and some other assorted issues for 3.5.2!
A trivial demo of this: