Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik Connect 2024! Seize endless possibilities! LEARN MORE

Application redirect vulnerability in QlikView Server, when using ticketing

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sonja_Bauernfeind
Digital Support
Digital Support

Application redirect vulnerability in QlikView Server, when using ticketing

Last Update:

Mar 22, 2021 9:04:45 AM

Updated By:

Daniele_Purrone

Created date:

Jun 8, 2018 10:16:08 AM

Security testing shows there is an Application redirect vulnerability when using Ticketing.

Environment:


You can add  a “SafeForwardList" or "StrictSafeForwardList" (check the help site for the difference) and “TrustedHost" keyword that can (should) be used in the config.xml file when setting up web ticket. In the example below only these 3 addresses will be allowed as redirection targets.
 
<Authentication>

<SafeForwardList>

<TrustedHost>testserver.qliktech.com</TrustedHost>   
<TrustedHost>qliktech.com</TrustedHost>      
<TrustedHost>10.88.26.35</TrustedHost>

</SafeForwardList>


</Authentication>

Note: 
Not specifying any trusted host/IP will result in the list to be ignored: redirection will always happen.
It will be necessary to specify the hostname(s) that are planned to be used. If only one server is specified, it'll have to be the one that is planned to be used.
 

QlikView
Thumbnail of QlikView
QlikView
Labels (1)
Labels:
444 Views
Was this article helpful? Yes No
Contributors
Version history
Last update:
‎2021-03-22 09:04 AM
Updated by:
Support