Admin console login.jsp allows redirects to non-local URIs
Hello, there is a minor security issue in the login page for Openfire; the
login.jsp page has the parameter ?url for post authentication redirect. It
is possible to set this to any url. For example:
http://127.0.0.1:9090/login.jsp?url=http://www.google.co.uk would redirect
to www.google.co.uk<http://www.google.co.uk> after authentication. More info
Not a huge issue as most of these servers would be internally facing but
still not in line with good practise as they could be used by a malicious
insider against system admins. I thought you should know.
[Credit to Jonathan Bush, Security Consultant at ProCheckUp www.procheckup.com]
Re-tested as part of the Openfire 4.0.0 beta. Post-auth, the redirect does not occur. Closing.
I see commits. Can it be marked as fixed?
PR #58 to close this.