Upon visiting http://test.musicbrainz.org/, go to Editing > You must be logged-in to edit. On doing so, you'll notice the uri GET variable. This variable can currently point towards any given URI specified.
This serves as a potential flaw, as someone being malicious could use it to forward on users and requests to various other spam/phishing/malware/crapware sites.
Does this URL ever need to point to a URL outside of the current mb_server instance's scope? And if not, I suggest that this link be made relative to the given domain currently being logged in at, with any external site forwards being denied.