diff -Nur e-smith-manager-2.6.0.old/root/etc/e-smith/web/common/cgi-bin/login e-smith-manager-2.6.0/root/etc/e-smith/web/common/cgi-bin/login
--- e-smith-manager-2.6.0.old/root/etc/e-smith/web/common/cgi-bin/login	2017-01-16 18:17:33.780000000 -0500
+++ e-smith-manager-2.6.0/root/etc/e-smith/web/common/cgi-bin/login	2017-01-16 18:59:16.748000000 -0500
@@ -160,8 +160,7 @@
   # If $back domain doesn't match $AUTH_DOMAIN, pass ticket via back GET param
   my $domain = $AUTH_DOMAIN || $server_name;
   if ($b->host !~ m/\b$domain$/i) {
-    $back .= $b->query ? '&' : '?';
-    $back .= $at->cookie_name . '=' . $tkt;
+    $fatal="Bad redirection parameter: \"$back\" is not an authorized redirection.<br />\nYou may be experiencing an attack.<br />\nLogin is not possible on the above URL for your own security.<br />\nPlease manually enter the address you were trying to reach if you followed a link.";
   }
 
   # For some reason, using a Location: header doesn't seem to then see the