Open redirect (also known as unvalidated redirects and
forwards)
is a URL redirection vulnerability. An attacker can exploit it to
redirect users from a trusted to a potentially malicious third-party
website and steal their credentials via a phishing attack. To protect
against this vulnerability, we recommend configuring Plesk to restrict
URL redirection.
The vulnerability is made possible by the failure_redirect_url
parameter, which is used when you set up automated logging in to
Plesk.
This parameter contains one or more hostnames to which a user is
redirected after performing a failed login attempt or logging out.
The vulnerability affects all Plesk servers, regardless of whether
automatic logging in to Plesk has been set up or not. To protect against
it, you need to add an entry to the panel.ini file. The
exact entry varies depending on whether automatic logging in to Plesk
has been set up.
To protect Plesk against open redirect if you have not set up
automatic logging in to Plesk:
Add the following lines to the panel.ini file:
[security]
trustedRedirectHosts =
The trustedRedirectHosts line is empty and no hosts are specified.
This way you forbid Plesk from redirecting to any hosts using the
failure_redirect_url parameter.
To protect Plesk against open redirect if you have set up automatic
logging in to Plesk:
Add an entry to the panel.ini file according to the
following pattern:
[security]
trustedRedirectHosts = hostname
Where hostname is a trustworthy host to which URL redirection via
the failure_redirect_url parameter will be allowed.
The trustedRedirectHosts setting accepts one or more hostnames
separated by commas and specified in the following format:
- A domain name, for example
example.com - An IP address, for example
10.58.58.100 - Wildcard subdomains, for example
*.example.com
Note: When specifying hostnames in trustedRedirectHosts and
failure_redirect_url, only use the asterisk (*) character
following the pattern shown above (*.example.com). Otherwise,
your server may remain vulnerable. For example, the hostnames
example.* or 203.0.113.* are insecure as they can match
example.maliciouswebsite.com and
203.0.113.maliciouswebsite.com, respectively.
Here is a valid example of the trustedRedirectHosts setting in the
panel.ini file:
[security]
trustedRedirectHosts = example.com,10.58.58.100,*.example.com
Where example.com, 10.58.58.100, *.example.com are
hostnames used in the failure_redirect_url parameter.
Note: When specifying several hostnames in trustedRedirectHosts, do not
add the whitespace ( ) character before or after the comma (,) that
separates hostnames. Otherwise, the hostname will not be handled
correctly and URL redirection will fail.
