ViUR Admin Session Hijack: Open Redirect in `get_cookie_for_app` Exposed Privileged Credentials

A critical open-redirect vulnerability in the ViUR framework's `get_cookie_for_app` endpoint allowed attackers to steal admin session cookies with a single malicious link. The flaw was in the endpoint's handling of the `redirect_to` parameter, which appended the user's session cookie as a plain query parameter to any supplied URL before redirecting the browser. An attacker could craft a link pointing to a server they control, and if a logged-in admin clicked it, the browser would be redirected, sending the full `Set-Cookie` string—containing the `viur_session` token—directly to the attacker's server as a URL parameter.

This attack vector required the victim to have `admin` or `root` access to reach the vulnerable endpoint, but this limitation made it a high-precision threat. The exploit targeted precisely the most privileged users, whose credentials are the most valuable. No password or direct system breach was necessary; session hijacking was achieved purely through social engineering, such as phishing via a chat message or a compromised web page. The attacker could then impersonate the admin for the entire lifespan of the stolen session.

The fix involved implementing a validation whitelist for the `redirect_to` parameter, restricting redirects to approved, trusted domains. This patch closes the door on a severe credential exposure risk that turned a simple redirect into a direct pipeline for administrative account takeover.