It is possible to construct a URL in the following form which will log in then redirect to any URL (this one would take you to Google). This sort of redirect can be used in phishing attacks, since the user sees the legitimate domain name in the URL, though there may be legitimate reasons for allowing open redirects.
Is this intentional? If not, my proposed fix is to reject returnPaths that do not start with http://myforumserver.mycompany.com/jforum (or whatever the base path is), and instead replace them with a redirect to the forum index. This allows legitimate login redirects to work as intended without opening a path for phishers to exploit. [originally posted on jforum.net by rbb36]
Migrated From Jforum.net
posted 11 years ago
Hmm, not up on the history of this option, but that sounds like a good change to me. Might be nice to implement it with a settable base URL parameter instead of just the base path. Maybe even with a RegEx expression. People may actually want to redirect to a different server in the same domain.
Of course, the default should be to have "tight" control.
Then again, I'm not up on this parameter so I could be wrong... [originally posted on jforum.net by monroe]