Concern:
Using request.getRequestURI() as the redirect target may allow manipulation of the redirect destination in some deployments, which could be abused for phishing against admin console users.
Scanner recommendation:
Use fixed internal redirect paths or validate/allowlist redirect targets instead of raw request URI.
We checked the public Openfire source (including v5.1.0) and the same pattern appears to still be present in these files.
Questions for the community/maintainers:
Is this considered a valid security issue for Openfire?
Is there an recommended official fix or configuration mitigation?
Thanks for raising this. If you believe this rises to the level of a genuine security vulnerability, please report it by email to security@ (our website domain) so it can be handled outside of a public forum and tracked appropriately.
Before we can assess whether this warrants a fix, it would help to have some concrete details that go beyond the static analysis finding:
Proof-of-concept request - Can you share an actual HTTP request (e.g. curl command or raw request headers) that results in a Location response header pointing to an external host? The exploitability hinges on whether request.getRequestURI() can be made to return a value that causes sendRedirect() to redirect off-host (which is non-trivial given how servlet containers typically normalise request paths).
Observed Location header-— What does the server actually respond with? A scanner flagging a code pattern is not the same as confirming a redirect to an external destination. Sharing the raw response (with the Location: header) from a test request would make the finding much easier to evaluate.
CSRF handler path - The PluginServlet case is the most interesting of the three, since it fires on a CSRF failure. Have you been able to trigger that code path with a crafted URI, and if so, where does the redirect actually land?
We take security reports seriously, but being able to distinguish a theoretical scanner finding from a demonstrable vulnerability helps us prioritise and respond appropriately. The more concrete the evidence, the faster we can act.