Authenticate.aspx Call Using "Back" Parameter Is A Security Concern
Article Number: 000003710 | Last Modified: 2019/12/09
Description
There are multiple calls to the QlikView web site during the GetWebTicket event during login that allows a potential interception, and we are looking for a means to secure this transaction.
Cause
This issue has been addressed as bug #58956
Resolution
In QlikView 11.2 SR4 (and 11.20 SR3 patch 12020) this issue has been addressed.
To protect Authenticate.aspx against unsafe redirect abuses, protection mechanism has been implemented which enables QlikView administrators to specify a trusted host list, to which the clients are allowed to be redirected, based on URLs provided in the try (Try_URL) and back (Back_URL) arguments:
To enable the feature the SafeForwardList setting must be added to the webserver configuration file (for each webserver) [\ProgramData\QlikTech\WebServer\config.xml] as part of the Authentication settings. The host can be specified as a IP Address or a URI.
Experiencing a serious issue, please contact us by phone. For Data Integration related issues please refer to your onboarding documentation for current phone number.