[Users] Warning for users of Preauth when installing 8.8.15 P37
Barry de Graaff
info at barrydegraaff.nl
Fri Mar 10 07:15:21 CET 2023
DO NOT USE zmlocalconfig -e zimbra_allowed_redirect_url="/" as this will weaken your system security.
Without setting this value on latest patch PreAuth should just work, as long as you use the value from zimbraPublicServiceHostname as redirect url.
If you must use a different url, provide an FQDN in zimbra_allowed_redirect_url and not just /
Furthermore I recommend to use SAML instead of pre-auth which is available for Network edition and FOSS.
https://wiki.zimbra.com/wiki/Authentication/SAML
On 2023-03-09 22:58, Marc Gadsdon wrote:
> Heads up - the security fix mentioned in the release notes will break
> preauth depending on your configuration and there’s no documentation
> for this.
> Release notes mention:
> "Strengthened PreAuth servlet to only redirect to admin configured
> url, which will prevent security issues related to open redirection
> vulnerabilities."
> The code contains this comment:
> // ZBUG-3105: we are allowing redirectURL only from
> zimbraPublicServiceHostname and
> // also url from zimbra_allowed_redirect_url
> The solution is to ensure that whatever redirectURL you pass in during
> the preauth process needs to match the value of
> `zimbra_allowed_redirect_url`
> ```
> zmlocalconfig -e zimbra_allowed_redirect_url="/"
> zmcontrol restart
> ```
> Hope this helps someone.
> Regards,
> Marc
More information about the Users
mailing list