• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Tim Cooke
  • Devaka Cooray
Sheriffs:
  • Liutauras Vilda
  • paul wheaton
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
  • Mikalai Zaikin
Bartenders:
  • Carey Brown
  • Roland Mueller

Open Redirect Intentional?

 
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It is possible to construct a URL in the following form which will log in then redirect to any URL (this one would take you to Google). This sort of redirect can be used in phishing attacks, since the user sees the legitimate domain name in the URL, though there may be legitimate reasons for allowing open redirects.

http:// myforumserver.mycompany.com/jforum/user/login.page?module=user&action=validateLogin&returnPath=http%3A%2F%2Fwww.google.com&username=joe&password=password&redirect=&login=Login

Is this intentional? If not, my proposed fix is to reject returnPaths that do not start with http://myforumserver.mycompany.com/jforum (or whatever the base path is), and instead replace them with a redirect to the forum index. This allows legitimate login redirects to work as intended without opening a path for phishers to exploit.
[originally posted on jforum.net by rbb36]
 
Migrated From Jforum.net
Ranch Hand
Posts: 17424
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hmm, not up on the history of this option, but that sounds like a good change to me. Might be nice to implement it with a settable base URL parameter instead of just the base path. Maybe even with a RegEx expression. People may actually want to redirect to a different server in the same domain.

Of course, the default should be to have "tight" control.

Then again, I'm not up on this parameter so I could be wrong...
[originally posted on jforum.net by monroe]
 
See ya later boys, I think I'm in love. Oh wait, she's just a tiny ad:
We need your help - Coderanch server fundraiser
https://coderanch.com/wiki/782867/Coderanch-server-fundraiser
reply
    Bookmark Topic Watch Topic
  • New Topic