[Users] Warning for users of Preauth when installing 8.8.15 P37
L Mark Stone
lmstone at lmstone.com
Thu Mar 9 23:01:28 CET 2023
Posted to the Forums: https://forums.zimbra.org/viewtopic.php?f=13&t=71763&p=308522
___________________________________
Another Message From… L. Mark Stone
On Mar 9, 2023, at 4:58 PM, Marc Gadsdon <mg at in-tuition.net> wrote:
Heads up - the security fix mentioned in the release notes will break preauth depending on your configuration and there’s no documentation for this.
Release notes mention:
"Strengthened PreAuth servlet to only redirect to admin configured url, which will prevent security issues related to open redirection vulnerabilities."
The code contains this comment:
// ZBUG-3105: we are allowing redirectURL only from zimbraPublicServiceHostname and
// also url from zimbra_allowed_redirect_url
The solution is to ensure that whatever redirectURL you pass in during the preauth process needs to match the value of `zimbra_allowed_redirect_url`
```
zmlocalconfig -e zimbra_allowed_redirect_url="/"
zmcontrol restart
```
Hope this helps someone.
Regards,
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zetalliance.org/pipermail/users_lists.zetalliance.org/attachments/20230309/7f394a02/attachment.html>
More information about the Users
mailing list