#10809 closed defect (fixed)
Potential open redirect
| Reported by: | Jared Jurkiewicz | Owned by: | James Burke |
|---|---|---|---|
| Priority: | high | Milestone: | 1.4.2 |
| Component: | General | Version: | 1.4.0 |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: |
Description
Reported by a co-worker doing security analysis:
This kind of attack is possible when a web application accepts a user-controlled input that specifies a link to an external site. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
This is also sometimes called “Open Redirect”.
Change History (3)
comment:1 Changed 12 years ago by
| Milestone: | tbd → 1.4.2 |
|---|
comment:4 Changed 12 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note: See
TracTickets for help on using
tickets.
I have worked on it in the past, I can do a similar fix for it as done for the DOH stuff, I want to get the fix in for 1.4.2.