Issues » Arbitrary URL redirects

Issue: SI-22
Date: Apr 21, 2014 11:15:00 AM
Severity: Low
Requires Admin Access: No
Fix Version: 2.5.4
Credit: it.sec GmbH & Co. KG – Hans-Martin Münch & Markus Piéton
Description:

Using an arbitrary URL redirect a attacker is able to send visiting clients to a web site of the attacker’s choosing. To successfully mount such a attack the attacker prepares a link to the dotCMS site that looks like a innocent link to an article. If the victim visits the link the browser gets redirected to the attacker’s controlled page.

Workaround:

As a workaround, we suggest using a Application firewall to block access to those urls externally.

Back to the top