Authenticate.aspx Call Using "Back" Parameter Is A Security Concern
Article Number: 000003710 | Last Modified: 2019/12/09
There are multiple calls to the QlikView web site during the GetWebTicket event during login that allows a potential interception, and we are looking for a means to secure this transaction.
This issue has been addressed as bug #58956
In QlikView 11.2 SR4 (and 11.20 SR3 patch 12020) this issue has been addressed.
To protect Authenticate.aspx against unsafe redirect abuses, protection mechanism has been implemented which enables QlikView administrators to specify a trusted host list, to which the clients are allowed to be redirected, based on URLs provided in the try (Try_URL) and back (Back_URL) arguments:
To enable the feature the SafeForwardList setting must be added to the webserver configuration file (for each webserver) [\ProgramData\QlikTech\WebServer\config.xml] as part of the Authentication settings. The host can be specified as a IP Address or a URI.