1. ReturnUrl

    Article: AN0002401Updated: 18.03.2020

    ObjectGears system takes over on several places the variable ReturnUrl from URL, which defines URL to which the user should be navigated. Since the value is part of URL, it can be quite easily changed and user can be provided with a dangerous address which can bring him/her out of ObjectGears system.

    Malicious URL would bring the user to the attacker web that would look similarly to your ObjectGears application. This could lead to user providing sensitive information to the attacker.

    In order to avoid this situation ObjectGears system checks all the values from the variable ReturnUrl used in URL. If there is a link targeting outside the system, redirection is not performed and this event is logged into the Error log as a Security incident.

    If there is a legitimate reason to redirect the user outside of ObjectGears instance (e.g. switching to another application or link to a documentation, network folder with documents etc.), it is possible to define redirection on specific places in ObjectGears, e.g.:

    • URL in menu
    • www link in class/query buttons
    • URL in scripts