1. Upload an image to a course's file area and copy the files's url
2. Place an img tag link to the image on the site front page
3. Confirm that the image is not displayed when you are logged out (at least)
4. Log in normally, you are sent to the image (in the course) - which will not be what a user expected.
What's happening is that the img tag calls file.php, which calles require_login() which in turn goes to the login page - except you see none of this as it's an image. Unfortunately, $SESSION->wantsurl has been set to the location of the image. When you next log in (properly) it picks up the wantsurl setting and sends you to that location immediately after login.
Of course, you shouldn't have that img there in the first place, but I spent days diagnosing this on a customer's site.