Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-14986

Don't redirect to external URLs

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Major
    • None
    • 9.11.1
    • URLs
    • Ubuntu - Apache.
    • Trivial

    Description

      Open redirect prior to login. This is the url (minus our host):
      http://URL/xwiki/bin/login/XWiki/XWikiLogin?srid=qpPJi2Uo&xredirect=https://www.google.co.uk%3Fsrid%3DqpPJi2Uo

      Once a user logs in, it will redirect to Google.

      The application should check the URL in the redirect parameter of the URL is part of the application, if it is not, it should redirect to the homepage.

      https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-10309 Phishing Through URL Redirection

          • Major - Major loss of function.
          • Closed

          Activity

            People

              surli Simon Urli
              jkafetz Jed Kafetz
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: