Skip to content

Open redirect #247

New issue
New issue
Open
Open
Open redirect#247
@wotell

Description

@wotell
wotell
opened on Apr 24, 2023

It seems that when I redirect to a relative url in the root it enables an open redirect. This seems to be introduced in the new version of the NotFound-handler.

This is the redirect-rule which was enabled in the old (episerver 11) version (I replaced our site in the example below):

<url>
  <old redirectType="Permanent">/www/somesite/nl/</old>
  <new>/?utm_source=www.somesite.nl&amp;utm_medium=redirect&amp;utm_campaign=rebranding</new>
</url>

This rule was exported from episerver 11 and imported in the new version in version 12.

When this rule is enabled in the new version we enable an open redirect. As an example, navigating to this url:
https://www.oursite.nl/www/somesite/nl/google.com
will redirect the browser to google.com.
The location-header is set to https://google.com/?utm_source=www.somesite.nl&utm_medium=redirect&utm_campaign=rebranding

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions