Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#2059 closed defect (fixed)

Logout request parameter allows redirection to everywhere

Reported by: michael.ritter Owned by: comvation
Priority: normal Milestone: Contrexx 3.2
Component: Login Version: 3.1.1
Severity: normal Keywords:


The request parameter 'redirect' on logout page allows redirection to any site. This makes phishing quite easy.

To fix this, only allow links that are within the same domain or ones that are in a whitelist.

Attachments (1) (33.1 KB) - added by michael.ritter 8 years ago.

Download all attachments as: .zip

Change History (3)

comment:1 Changed 8 years ago by michael.ritter

  • Resolution set to fixed
  • Status changed from new to closed

Changed 8 years ago by michael.ritter

Note: See TracTickets for help on using tickets.