We're updating the issue view to help you get more done. 

Admin console login.jsp allows redirects to non-local URIs

Description

Hello, there is a minor security issue in the login page for Openfire; the
login.jsp page has the parameter ?url for post authentication redirect. It
is possible to set this to any url. For example:
http://127.0.0.1:9090/login.jsp?url=http://www.google.co.uk would redirect
to www.google.co.uk<http://www.google.co.uk> after authentication. More info
at: https://www.owasp.org/index.php/Open_redirect

Not a huge issue as most of these servers would be internally facing but
still not in line with good practise as they could be used by a malicious
insider against system admins. I thought you should know.

[Credit to Jonathan Bush, Security Consultant at ProCheckUp www.procheckup.com]

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Dave Cridland
August 5, 2014, 8:06 AM

PR #58 to close this.

wroot
September 15, 2015, 6:03 PM

I see commits. Can it be marked as fixed?

Tim Durden
January 4, 2016, 10:54 AM

Re-tested as part of the Openfire 4.0.0 beta. Post-auth, the redirect does not occur. Closing.

Assignee

Dave Cridland

Reporter

Daryl Herzmann

Labels

None

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure