Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-10309

Phishing Through URL Redirection

    XMLWordPrintable

Details

    • Unit
    • Low
    • Hard
    • Pull Request accepted

    Description

      The xredirect parameter allows specifying any URL, including to an external host. Given that xredirect is an internal parameter controlling where to go after performing an action in XWiki, it should only accept local URLs.

      To reproduce, open /bin/Main/UserDirectory?customize=true&action=reset& xredirect=http://demo.testfire.net and see the phishing site.

      Attachments

        Issue Links

          Activity

            People

              surli Simon Urli
              sdumitriu Sergiu Dumitriu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: