Disabling Domino redirectto URL argument
A phishing attacker sends an email with a link purporting to be to your website. It begins with your domain name, but employs the &redirectto argument to actually steer the user to their site if they click the link.
Diagnosing the problem
This feature is used legitimately to create authentication pages that on logout, redirect the user to another page onsite that doesn't require authentication. But for some high-security sites, the functionality may be problematic.
We are not giving a specific example here on the theory that one should avoid giving instructions on how to attack server security.
Resolving the problem
You can optionally disable the redirect functionality by adding the following line to the Domino server's notes.ini file:
Where x can be:
- 1: Ignore the RedirectTo parameter in both GET and POST requests. Warning: this setting will break Domino's session based authentication redirection.
- 2: Ignore the query string RedirectTo parameter only in GET requests (to allow form-based POST authentication).
More support for:
Software version: 8.5, 8.5.1, 8.5.2, 8.5.3
Operating system(s): AIX, AIX 64bit, IBM i, Linux, Linux iSeries, Linux zSeries, Solaris, Windows, Windows 64bit, i5/OS, z/OS
Software edition: Edition Independent
Reference #: 1578597
Modified date: 24 January 2012