公開重定向(又稱未驗證的重定向和轉發) 是一個 URL 重定向漏洞。攻擊者可利用該漏洞將用戶從可信任的網站重定向到存在安全隱患的協力廠商網站,並通過釣魚攻擊竊取他們的驗證憑據。應對該漏洞,我們建議配置 Plesk 限制 URL 重定向。

The vulnerability is made possible by the success_redirect_url and failure_redirect_url parameters, which are used when you set up automated logging in to Plesk. The success_redirect_url parameter contains one or more hostnames to which a user is redirected after a successful login, while failure_redirect_url—after a failed login attempt or logging out.

The vulnerability can affect all Plesk servers, regardless of whether automatic logging in to Plesk has been set up or not. To protect against it, you need to add an entry to the panel.ini file. The exact entry varies depending on whether automatic logging in to Plesk has been set up.

如果未設定自動登入 Plesk,要保護 Plesk 抵禦公開重定向,需執行如下操作:

添加以下各行到 panel.ini 文件:

[security]
trustedRedirectHosts =

The trustedRedirectHosts line is empty and no hostnames are specified. This way you forbid Plesk from redirecting to any hostnames using the success_redirect_url and failure_redirect_url parameters.

如果已設定自動登入 Plesk,要保護 Plesk 抵禦公開重定向,需執行如下操作:

按照下面的模式添加一項到 panel.ini 文件:

[security]
trustedRedirectHosts = hostname

Where hostname is a trustworthy hostname to which you allow URL redirection via the success_redirect_url and failure_redirect_url parameters.

trustedRedirectHosts 設定接受由逗號隔開的一個或多個主機名稱,格式如下:

  • 一個域名,例如 example.com
  • An IP address, for example 192.0.2.1
  • 萬用字元子域名,例如 *.example.com

備註: When specifying hostnames in trustedRedirectHosts, only use the asterisk (*) character following the pattern shown above (*.example.com). Otherwise, your server may remain vulnerable. For example, the hostnames example.* or 192.0.2.* are insecure because they can match example.maliciouswebsite.com and 192.0.2.maliciouswebsite.com, respectively.

以下是 trustedRedirectHosts 設定(在 panel.ini 文件中)的有效示例:

[security]
trustedRedirectHosts = example.com,192.0.2.1,*.example.com

Where example.com, 192.0.2.1, *.example.com are hostnames used in the success_redirect_url and failure_redirect_url parameters.

備註: 當在 trustedRedirectHosts 中指定多個主機名稱時,不要在分隔主機名稱的逗號前後使用空白 ( ) 字元。否則將不會正確處理主機名稱且 URL 重定向將失敗。