Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
9.11.1
-
Ubuntu - Apache.
-
Trivial
-
Description
Open redirect prior to login. This is the url (minus our host):
http://URL/xwiki/bin/login/XWiki/XWikiLogin?srid=qpPJi2Uo&xredirect=https://www.google.co.uk%3Fsrid%3DqpPJi2Uo
Once a user logs in, it will redirect to Google.
The application should check the URL in the redirect parameter of the URL is part of the application, if it is not, it should redirect to the homepage.
https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Attachments
Issue Links
- duplicates
-
XWIKI-10309 Phishing Through URL Redirection
- Closed