• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

Open Redirect Intentional?

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
It is possible to construct a URL in the following form which will log in then redirect to any URL (this one would take you to Google). This sort of redirect can be used in phishing attacks, since the user sees the legitimate domain name in the URL, though there may be legitimate reasons for allowing open redirects.

http:// myforumserver.mycompany.com/jforum/user/login.page?module=user&action=validateLogin&returnPath=http%3A%2F%2Fwww.google.com&username=joe&password=password&redirect=&login=Login

Is this intentional? If not, my proposed fix is to reject returnPaths that do not start with http://myforumserver.mycompany.com/jforum (or whatever the base path is), and instead replace them with a redirect to the forum index. This allows legitimate login redirects to work as intended without opening a path for phishers to exploit.
[originally posted on jforum.net by rbb36]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hmm, not up on the history of this option, but that sounds like a good change to me. Might be nice to implement it with a settable base URL parameter instead of just the base path. Maybe even with a RegEx expression. People may actually want to redirect to a different server in the same domain.

Of course, the default should be to have "tight" control.

Then again, I'm not up on this parameter so I could be wrong...
[originally posted on jforum.net by monroe]
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!