Comment 0 for bug 1039077
Revision history for this message
| Thomas Biege (thomas-suse-deactivatedaccount) wrote open redirect / phishing attack via "next" parameter | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
The "next" parameter is used here and there in the Dasboard.
http://
Redirects to www.heise.de.
Instead of redirecting to heise and attacker can redirect to a cloned Dasboard
to steal information, so called Phishing Attack.
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
http://
We had an equal issue in SUSE Manager / Spacewalk:
https:/
Folsom seems to be safe, but it effects Essex.
https:/
The solution was that the string has to start with "/" (so no URL scheme is
allowed) AFAIR.