Welcome, Guest! Log In | Create Account

Ticket #586 (new defect)

Opened 5 months ago

Last modified 4 months ago

Arbitrary URL Redirection / Phishing Vulnerability

Reported by: andy_st Owned by: andy_st
Priority: critical Milestone: 3.0 RC 1
Version: 3.0 Beta 2 Keywords: security
Cc:

Description (last modified by andy_st) (diff)

The logout controller allows for arbitrary URL redirects, open for phishing
attacks.

The "index" function is vulnerable to arbitrary URL redirection by placing
any URL within the "continue" URL parameter.
The following request can be used to exploit this issue:
/index.php/logout?continue=http://www.google.com

See G2's approach to ensure that no redirect points to an external URL.
If that's too heavyweight, maybe don't allow for any absolute URLs in
redirects and warn admins about issues on shared domains.

See:
- GDS security assessment, Feb-2009, issue 14

Change History

Changed 5 months ago by andy_st

  • priority changed from major to critical
  • description modified (diff)

Changed 4 months ago by ckdake

  • milestone changed from 3.0 Beta 3 to 3.0 RC 1
Note: See TracTickets for help on using tickets.

Copyright © 2009 Geeknet, Inc. All rights reserved. Terms of Use