Protecting Against Open Redirect¶
Open redirect (also known as unvalidated redirects and forwards) is a URL redirection vulnerability. An attacker can exploit it to redirect users from a trusted to a potentially malicious third-party website and steal their credentials via a phishing attack. To protect against this vulnerability, we recommend configuring Plesk to restrict URL redirection.
The vulnerability is made possible by the success_redirect_url
and failure_redirect_url
parameters, which are used when you set up automated logging in to
Plesk.
The success_redirect_url
parameter contains one or more hostnames to which a user is
redirected after a successful login, while failure_redirect_url
—after a failed login attempt
or logging out.
The vulnerability can affect all Plesk servers, regardless of whether automatic logging in to Plesk has been set up or not. To protect against it, you need to add an entry to the panel.ini file. The exact entry varies depending on whether automatic logging in to Plesk has been set up.
To protect Plesk against open redirect if you have not set up automatic logging in to Plesk:
Add the following lines to the panel.ini file:
[security]
trustedRedirectHosts =
The trustedRedirectHosts
line is empty and no hostnames are specified.
This way you forbid Plesk from redirecting to any hostnames using the
success_redirect_url
and failure_redirect_url
parameters.
To protect Plesk against open redirect if you have set up automatic logging in to Plesk:
Add an entry to the panel.ini file according to the following pattern:
[security]
trustedRedirectHosts = hostname
Where hostname
is a trustworthy hostname to which you allow URL redirection via
the success_redirect_url
and failure_redirect_url
parameters.
The trustedRedirectHosts
setting accepts one or more hostnames
separated by commas and specified in the following format:
- A domain name, for example
example.com
- An IP address, for example
192.0.2.1
- Wildcard subdomains, for example
*.example.com
Note
When specifying hostnames in trustedRedirectHosts
,
only use the asterisk (*) character
following the pattern shown above (*.example.com
). Otherwise,
your server may remain vulnerable. For example, the hostnames
example.*
or 192.0.2.*
are insecure because they can match
example.maliciouswebsite.com
and 192.0.2.maliciouswebsite.com
, respectively.
Here is a valid example of the trustedRedirectHosts
setting in the
panel.ini
file:
[security]
trustedRedirectHosts = example.com,192.0.2.1,*.example.com
Where example.com
, 192.0.2.1
, *.example.com
are
hostnames used in the success_redirect_url
and failure_redirect_url
parameters.
Note
When specifying several hostnames in trustedRedirectHosts
, do not
add the whitespace ( ) character before or after the comma (,) that
separates hostnames. Otherwise, the hostname will not be handled
correctly and URL redirection will fail.