Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-2022

Guard against untrusted URL redirection

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Admin Console
    • Labels:
      None

      Description

      (as reported by LGTM.com for SystemPropertyServlet and SystemCacheDetailsServlet)

      Directly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.

      To guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.

        Attachments

          Activity

            People

            Assignee:
            guus Guus der Kinderen
            Reporter:
            guus Guus der Kinderen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: