[TYPO3-dev] jumpurl generally insecure?
Dmitry Dulepov
dmitry.dulepov at gmail.com
Tue Jul 24 17:35:18 CEST 2012
Hi!
Marc Wöhlken wrote:
> A company checking the security of one of our clients website came up
> with a really surprising comment on jumpurl. As far as I understand
> their comments they consider TYPO3s jumpurl feature as being
> generally(!) unsecure.
>
> Here is a translation of their statement, my comments in brackets:
> ---
> During our tests we found a typical[!!!] TYPO3 security weakness. It
> concerns a "Open redirection weakness" which can redirect a user
> clicking the following link [changed link to something publicly
> availabl] to another website:
> http://www.typo3.org/index.php?jumpurl=http://forge.typo3.org/
>
> This weakness can be used for phishing attacks.
>
> We recommend to disable this feature.
> ---
>
> I just wanted to fetch some opinions on this topic as I can't quite see
> a) why this should be a general weakness
> b) how to disable jumpurl completly
The best thing you can do is to look right now at TSRef, where it mentions
jumpurl :) You will find all answers there.
--
Dmitry Dulepov
TYPO3 core team member
Blog: http://dmitry-dulepov.com/
Twitter: http://twitter.com/dmitryd
Simplicity will save the world.
More information about the TYPO3-dev
mailing list