From tracker 2276:

Restrict redirect.php to allow requests only from within eGroupware.
HTTP_REFERER is checked against the egroupware path.
A valid session is now required.

redirect.php

@@ -32,17 +32,64 @@
 		}
 	}
 
-	if($_GET['go'])
+	/* Only allow redirects with a valid session */
+	$GLOBALS['egw_info'] = array(
+		'flags' => array(
+			'noheader'   => True,
+			'nonavbar'   => True,
+			'currentapp' => 'home'
+		)
+	);
+	include('./header.inc.php');
+
+
+	/* Only allow redirects from inside this eGroupware installation. */
+	$valid_referer = array();
+	$path = preg_replace('/\/[^\/]*$/','',$_SERVER['PHP_SELF']) . '/';
+	array_push($valid_referer, $path);
+	array_push($valid_referer, ($_SERVER['HTTPS'] ? 'https://' : 'http://') . $_SERVER['SERVER_ADDR'] . $path);
+	array_push($valid_referer, ($_SERVER['HTTPS'] ? 'https://' : 'http://') . $_SERVER['SERVER_NAME'] . $path);
+
+	$referrer = trim($_SERVER['HTTP_REFERER']);
+	if ((!isset($_SERVER['HTTP_REFERER'])) || (empty($referrer)))
+	{
+		echo "Only usable from within eGroupware.\n";
+	}
+	else if($_GET['go'])
+	{
+		$allow = false;
+		foreach ($valid_referer as $urlRoot)
+		{
+			/* Check if the referrer begins with a valid URL. */
+			if (strncmp($urlRoot, $referrer, strlen($urlRoot)) == 0)
+			{
+				$allow = true;
+				break;
+			}
+		}
+		if ($allow)
 		{
 			$url= html_entity_decode(urldecode($_GET['go']));
 			unset($_GET['go']);
-		if (!empty($_GET)) $url=$url."&".http_build_query($_GET);
+			/* Only add "&" if there is something to append. */
+			if (!empty($_GET))
+			{
+				$url=$url."&".http_build_query($_GET);
+			}
 
 			Header('Location: ' . html_entity_decode(urldecode($url)));
 			exit;
 		}
 		else
 		{
-		echo "this won't work!!";
+			echo "Redirect not allowed for referrer '".$_SERVER['HTTP_REFERER']."'.\n";
+			echo "<pre>";
+			print_r($valid_referer);
+			echo "<pre>\n";
+		}
+	}
+	else
+	{
+		echo "Error redirecting.";
 	}
 ?>