iChain 2.3 SP5: "Illegal URL Destination. Possible Phishing Attempt!"

  • 3271239
  • 28-Feb-2007
  • 27-Apr-2012

Environment

Novell iChain 2.3
Novell iChain 2.3 Support Pack 5 (build 2.3.345) or later

Situation

After upgrading from iChain 2.3 SP4 to iChain 2.3 SP5, and after I login to the iChain login page, I get the following error message:
"Illegal URL Destination. Possible Phishing Attempt!"

Resolution

There are new security safeguards in iChain as of iChain 2.3 SP5 (build 2.3.345) to prevent "phishing" and other security holes.
The above error message occurs because, after successfullying authenticating to iChain, if iChain is told to redirect to a URL that is *not* on the iChain box (ie., is not an iChain accelerator), then iChain will generate this error message.
In this case, the customer had a customized iChain login page where the "Destination:" location (the tag in the HTML source of the login page) had been modified to redirect the user to another web server (off the iChain box), that was not an iChain accelerator, after the user logged in to iChain. This is how phishing attacks work, so as of iChain 2.3 SP5 (2.3.345) this is no longer allowed, to enhance security.
If the customer does want iChain authenticated users to redirect to some other non-iChain web server after authenticating to iChain, then that redirect will have to happen at the back-end origin web server, rather than at the iChain box (ie., don't do it in the customized iChain login page). Let the back-end origin server do the redirect.