It is possible to construct a URL in the following form which will log in then redirect to any URL (this one would take you to Google). This sort of redirect can be used in phishing attacks, since the user sees the legitimate domain name in the URL, though there may be legitimate reasons for allowing open redirects.
http:// myforumserver.mycompany.com/jforum/user/login.page?module=user&action=validateLogin&returnPath=http%3A%2F%2Fwww.google.com&username=joe&password=password&redirect=&login=Login
Is this intentional? If not, my proposed fix is to reject returnPaths that do not start with
http://myforumserver.mycompany.com/jforum (or whatever the base path is), and instead replace them with a redirect to the forum index. This allows legitimate login redirects to work as intended without opening a path for phishers to exploit.
[originally posted on jforum.net by rbb36]