This repository was archived by the owner on Jul 2, 2025. It is now read-only.
Open Redirect #25
Description
We've been running an instance of this, and a security scan flagged the launch_url CGI parameter as having an open redirect vulnerability. The vulnerability has to do with phishing attacks, where you can give someone link that starts with a trustworthy site but actually redirects to some malicious website. Example: https://launch.smarthealthit.org/?launch_url=https://evil.example.com
I think one way to solve this would be changing the initial page to a POST submission, and removing launch_url from the CGI parameters, and then for subsequent links putting the url in a session cookie.