Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-10309

Phishing Through URL Redirection

    XMLWordPrintable

    Details

    • Tests:
      Unit
    • Development Priority:
      Low
    • Difficulty:
      Hard
    • Pull Request Status:
      Pull Request accepted
    • Similar issues:

      Description

      The xredirect parameter allows specifying any URL, including to an external host. Given that xredirect is an internal parameter controlling where to go after performing an action in XWiki, it should only accept local URLs.

      To reproduce, open /bin/Main/UserDirectory?customize=true&action=reset& xredirect=http://demo.testfire.net and see the phishing site.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              surli Simon Urli
              Reporter:
              sdumitriu Sergiu Dumitriu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: