Open redirect (also known as unvalidated redirects and forwards) is a URL redirection vulnerability. An attacker can exploit it to redirect users from a trusted to a potentially malicious third-party website and steal their credentials via a phishing attack. To protect against this vulnerability, we recommend configuring Plesk to restrict URL redirection.
The vulnerability is made possible by the
failure_redirect_url parameter, which is used when you set up automated logging in to Plesk. This parameter contains one or more hostnames to which a user is redirected after performing a failed login attempt or logging out.
The vulnerability affects all Plesk servers, regardless of whether automatic logging in to Plesk has been set up or not. To protect against it, you need to add an entry to the
panel.ini file. The exact entry varies depending on whether automatic logging in to Plesk has been set up.
To protect Plesk against open redirect if you have not set up automatic logging in to Plesk:
Add the following lines to the
trustedRedirectHosts line is empty and no hosts are specified. This way you forbid Plesk from redirecting to any hosts using the
To protect Plesk against open redirect if you have set up automatic logging in to Plesk:
Add an entry to the
panel.ini file according to the following pattern:
trustedRedirectHosts = hostname
hostname is a trustworthy host to which URL redirection via the
failure_redirect_url parameter will be allowed.
trustedRedirectHosts setting accepts one or more hostnames separated by commas and specified in the following format:
Note: When specifying hostnames in
failure_redirect_url, only use the asterisk (*) character following the pattern shown above (
*.example.com). Otherwise, your server may remain vulnerable. For example, the hostnames
203.0.113.* are insecure as they can match
Here is a valid example of the
trustedRedirectHosts setting in the
trustedRedirectHosts = example.com,10.58.58.100,*.example.com
*.example.com are hostnames used in the
Note: When specifying several hostnames in
trustedRedirectHosts, do not add the whitespace ( ) character before or after the comma (,) that separates hostnames. Otherwise, the hostname will not be handled correctly and URL redirection will fail.