Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-10309

Phishing Through URL Redirection

    XMLWordPrintable

Details

    • Unit
    • Low
    • Hard
    • Pull Request accepted

    Description

      The xredirect parameter allows specifying any URL, including to an external host. Given that xredirect is an internal parameter controlling where to go after performing an action in XWiki, it should only accept local URLs.

      To reproduce, open /bin/Main/UserDirectory?customize=true&action=reset& xredirect=http://demo.testfire.net and see the phishing site.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-14986 Don't redirect to external URLs

          • Major - Major loss of function.
          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. OIDC-105 Enforce redirection in case trusted domain are not properly configured

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-19994 Redirect parameter xredirect in login/logout can link to external site

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          links to

          Web Link Security Advisory

          Activity

            People

              surli Simon Urli
              sdumitriu Sergiu Dumitriu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: