Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#10809 closed defect (fixed)

Potential open redirect

Reported by: Jared Jurkiewicz Owned by: James Burke
Priority: high Milestone: 1.4.2
Component: General Version: 1.4.0
Keywords: Cc:
Blocked By: Blocking:

Description

Reported by a co-worker doing security analysis:

This kind of attack is possible when a web application accepts a user-controlled input that specifies a link to an external site. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

This is also sometimes called “Open Redirect”.

Change History (3)

comment:1 Changed 10 years ago by James Burke

Milestone: tbd1.4.2

I have worked on it in the past, I can do a similar fix for it as done for the DOH stuff, I want to get the fix in for 1.4.2.

comment:3 Changed 10 years ago by Jared Jurkiewicz

Great, thanks James!

comment:4 Changed 10 years ago by James Burke

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.