Details
-
Bug
-
Resolution: Fixed
-
Major
-
6.0-rc-1
-
Unit
-
Low
-
Hard
-
Pull Request accepted
-
Description
The xredirect parameter allows specifying any URL, including to an external host. Given that xredirect is an internal parameter controlling where to go after performing an action in XWiki, it should only accept local URLs.
To reproduce, open /bin/Main/UserDirectory?customize=true&action=reset& xredirect=http://demo.testfire.net and see the phishing site.
Attachments
Issue Links
- is duplicated by
-
XWIKI-14986 Don't redirect to external URLs
- Closed
- is related to
-
OIDC-105 Enforce redirection in case trusted domain are not properly configured
- Closed
- relates to
-
XWIKI-19994 Redirect parameter xredirect in login/logout can link to external site
- Closed
- links to