Admin console login.jsp allows redirects to non-local URIs

Description

Hello, there is a minor security issue in the login page for Openfire; the
login.jsp page has the parameter ?url for post authentication redirect. It
is possible to set this to any url. For example:
http://127.0.0.1:9090/login.jsp?url=http://www.google.co.uk would redirect
to www.google.co.uk<http://www.google.co.uk> after authentication. More info
at: https://www.owasp.org/index.php/Open_redirect

Not a huge issue as most of these servers would be internally facing but
still not in line with good practise as they could be used by a malicious
insider against system admins. I thought you should know.

[Credit to Jonathan Bush, Security Consultant at ProCheckUp www.procheckup.com]

Environment

None

Activity

Show:
Tim Durden
January 4, 2016, 10:54 AM

Re-tested as part of the Openfire 4.0.0 beta. Post-auth, the redirect does not occur. Closing.

wroot
September 15, 2015, 6:03 PM

I see commits. Can it be marked as fixed?

Dave Cridland
August 5, 2014, 8:06 AM

PR #58 to close this.

Fixed

Assignee

Dave Cridland

Reporter

Daryl Herzmann