公开重定向(又称未验证的重定向和转发) 是一个 URL 重定向漏洞。攻击者可利用该漏洞将用户从可信任的网站重定向到存在安全隐患的第三方网站,并通过钓鱼攻击窃取他们的验证凭据。应对该漏洞,我们建议配置 Plesk 限制 URL 重定向。

The vulnerability is made possible by the success_redirect_url and failure_redirect_url parameters, which are used when you set up automated logging in to Plesk. The success_redirect_url parameter contains one or more hostnames to which a user is redirected after a successful login, while failure_redirect_url—after a failed login attempt or logging out.

The vulnerability can affect all Plesk servers, regardless of whether automatic logging in to Plesk has been set up or not. To protect against it, you need to add an entry to the panel.ini file. The exact entry varies depending on whether automatic logging in to Plesk has been set up.

如果未设置自动登录 Plesk,要保护 Plesk 抵御公开重定向,需执行如下操作:

添加以下各行到 panel.ini 文件:

[security]
trustedRedirectHosts =

The trustedRedirectHosts line is empty and no hostnames are specified. This way you forbid Plesk from redirecting to any hostnames using the success_redirect_url and failure_redirect_url parameters.

如果已设置自动登录 Plesk,要保护 Plesk 抵御公开重定向,需执行如下操作:

按照下面的模式添加一项到 panel.ini 文件:

[security]
trustedRedirectHosts = hostname

Where hostname is a trustworthy hostname to which you allow URL redirection via the success_redirect_url and failure_redirect_url parameters.

trustedRedirectHosts 设置接受由逗号隔开的一个或多个主机名,格式如下:

  • 一个域名,例如 example.com
  • An IP address, for example 192.0.2.1
  • 通配符子域名,例如 *.example.com

注解: When specifying hostnames in trustedRedirectHosts, only use the asterisk (*) character following the pattern shown above (*.example.com). Otherwise, your server may remain vulnerable. For example, the hostnames example.* or 192.0.2.* are insecure because they can match example.maliciouswebsite.com and 192.0.2.maliciouswebsite.com, respectively.

以下是 trustedRedirectHosts 设置(在 panel.ini 文件中)的有效示例:

[security]
trustedRedirectHosts = example.com,192.0.2.1,*.example.com

Where example.com, 192.0.2.1, *.example.com are hostnames used in the success_redirect_url and failure_redirect_url parameters.

注解: 当在 trustedRedirectHosts 中指定多个主机名时,不要在分隔主机名的逗号前后使用空白 ( ) 字符。否则将不会正确处理主机名且 URL 重定向将失败。