[Users] Warning for users of Preauth when installing 8.8.15 P37
Marc Gadsdon
mg at in-tuition.net
Thu Mar 9 22:58:23 CET 2023
Heads up - the security fix mentioned in the release notes will break preauth depending on your configuration and there’s no documentation for this.
Release notes mention:
"Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities."
The code contains this comment:
// ZBUG-3105: we are allowing redirectURL only from zimbraPublicServiceHostname and
// also url from zimbra_allowed_redirect_url
The solution is to ensure that whatever redirectURL you pass in during the preauth process needs to match the value of `zimbra_allowed_redirect_url`
```
zmlocalconfig -e zimbra_allowed_redirect_url="/"
zmcontrol restart
```
Hope this helps someone.
Regards,
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20230309/b6b1f16b/attachment.html>
More information about the Users
mailing list