Security testing shows there is an Application redirect vulnerability when using Ticketing.
Environment:
You can add a “SafeForwardList" or "StrictSafeForwardList" (check the help site for the difference) and “TrustedHost" keyword that can (should) be used in the config.xml file when setting up web ticket. In the example below only these 3 addresses will be allowed as redirection targets.
<Authentication>
<SafeForwardList>
<TrustedHost>testserver.qliktech.com</TrustedHost>
<TrustedHost>qliktech.com</TrustedHost>
<TrustedHost>10.88.26.35</TrustedHost>
</SafeForwardList>
</Authentication>
Note:
Not specifying any trusted host/IP will result in the list to be ignored: redirection will always happen.
It will be necessary to specify the hostname(s) that are planned to be used. If only one server is specified, it'll have to be the one that is planned to be used.