Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22487

Open redirect through HTML conversion request filter

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce:

      Open <xwiki-host>/xwiki/bin/view/Main/?foo=bar&foo_syntax=invalid&RequiresHTMLConversion=foo&xerror=https://www.example.com where <xwiki-host> is the URL of your XWiki installation.

      Expected result:

      No redirect is performed, an error is possibly displayed.

      Actual result:

      The browser is redirected to https://www.example.com. This demonstrates an open redirect vulnerability that could be used, e.g., for phishing attacks.

      This has been reported on SonarCloud, see https://sonarcloud.io/project/issues?open=AXnpAhzJDDFOvAKXAQy3&id=org.xwiki.platform%3Axwiki-platform.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: