hack of user_logout.php?

Help
adrianbj
2009-01-10
2013-05-28
  • adrianbj
    adrianbj
    2009-01-10

    Hey Matthias,

    I noticed some weirdness with some links in my log files and then did this google search (http://www.google.com/search?hl=en&q=referer%3DHTTP%3A%2F%2Fmarker2009.com&btnG=Search) which you should look at. I don't really understand what is going on here, but it doesn't look good :-)

    Thanks,
    Adrian

     
    • adrianbj
      adrianbj
      2009-01-10

      Sorry about the dramatic subject - it's only an HTTP Header Injection.

      As a really quick fix, I have commented out these lines in user_logout.php

      //    if (!preg_match("/.*user(_details|_options|_receipt|s)\.php.*|.*(error|install|query_manager|query_history)\.php.*/", $referer)) // variable '$referer' is globally defined in function 'start_session()' in 'include.inc.php'

      //header("Location: " . $referer); // redirect the user to the calling page

      //else

      This way no matter what is entered in the url to pass an address to $referer, it will always just return the user to the refbase homepage.

      I imagine we could make sure that $referer is a local address etc, but thought I'd leave that up to you to figure out the best option.

      Cheers,
      Adrian

       
    • adrianbj
      adrianbj
      2009-01-10

      I know you are aware of this, but just looking around refbase, I noticed that there are many, many instances of $referer being used for 'header Location', so I think these will all need to be taken care of.

      Thanks again,
      Adrian

       
    • Hi Adrian,

      thanks for letting us know! I'm still recovering from a flu that has put me off but I'll try to look into this ASAP.

      Thanks, Matthias

       
    • Open redirects are all-too-common still.  Your work-around is fine, but might be inconvenient (as it won't use the valid redirects & return users to the page from which they came).

      This is really a social exploit more than a technical one: spammers and phishers can use these links to appear to the casual web user that they will go to your (reputable) site, when they are really sent to the malicious site.  Modern browsers and safe computing practices should mitigate the threat--the address bar will reflect the real malicious site & any blacklists will still be in effect.  This is probably why the problem is so common.

      refbase should be fixed, though.  I think the proper fix will be to make a redirect sanitizer which confirms that links are to some place in your domain.  Any pages outside of your domain should be redirected to some default site or to a page that asks the user if they really want to leave your domain.  This should be relatively straight-forward.