[TYPO3-dev] jumpurl generally insecure?
Marc Wöhlken
woehlken at quadracom.de
Tue Jul 24 16:17:08 CEST 2012
Hello!
This posting is not ment to reveal some "secret" security issue as the
jumpurl feature is well known and widely used among TYPO3 developers.
A company checking the security of one of our clients website came up
with a really surprising comment on jumpurl. As far as I understand
their comments they consider TYPO3s jumpurl feature as being
generally(!) unsecure.
Here is a translation of their statement, my comments in brackets:
---
During our tests we found a typical[!!!] TYPO3 security weakness. It
concerns a "Open redirection weakness" which can redirect a user
clicking the following link [changed link to something publicly
availabl] to another website:
http://www.typo3.org/index.php?jumpurl=http://forge.typo3.org/
This weakness can be used for phishing attacks.
We recommend to disable this feature.
---
I just wanted to fetch some opinions on this topic as I can't quite see
a) why this should be a general weakness
b) how to disable jumpurl completly
Hoping for some enlighting comments,
regards
Marc
--
...........................................................
Marc Wöhlken TYPO3 certified integrator
Quadracom - Proffe & Wöhlken
Rembertistraße 32 WWW: http://www.quadracom.de
D-28203 Bremen E-Mail: woehlken at quadracom.de
______________ PGP-Key: http://pgp.quadracom.de
More information about the TYPO3-dev
mailing list