Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open Redirects for logged in users #4945

Closed
mburring opened this issue Nov 21, 2022 · 0 comments · Fixed by #4952
Closed

Open Redirects for logged in users #4945

mburring opened this issue Nov 21, 2022 · 0 comments · Fixed by #4952
Assignees
@nilmerg
Labels
area/authentication Affects user authentication or authorization bug Something isn't working
Milestone
2.11.3

Comments

@mburring
Copy link

Describe the bug

When logged in the underlying URL redirection system appears to be open and will will redirect to any requested URL

To Reproduce

  1. https://my.icingaweb2.server/icingaweb2/authentication/login?redirect=http://google.com
    Will issue a 302 redirect to google.com

icingawe2redirect

Expected behavior

All open redirects should be denied. While not a direct exploit it can be used as a potential attack surface for misdirection

Your Environment

Include as many relevant details about the environment you experienced the problem in

  • Icinga Web 2 version and modules (System - About): 2.11.2
  • Web browser used: Chrome, Firefox
  • Icinga 2 version used (icinga2 --version): r2.13.6-1
  • PHP version used (php --version): 7.4.3
  • Server operating system and version: Ubuntu 20.04
@nilmerg nilmerg mentioned this issue Nov 22, 2022
Closed
@nilmerg nilmerg self-assigned this Dec 1, 2022
@nilmerg nilmerg added area/authentication Affects user authentication or authorization bug Something isn't working labels Dec 1, 2022
nilmerg added a commit that referenced this issue Dec 1, 2022
@nilmerg
login: Don't redirect to external resources
f8ad5c6 
fixes #4945
@nilmerg nilmerg mentioned this issue Dec 1, 2022
Merged
nilmerg added a commit that referenced this issue Dec 7, 2022
@nilmerg
login: Don't redirect to external resources
ec7fb82 
fixes #4945
nilmerg added a commit that referenced this issue Dec 8, 2022
@nilmerg
login: Don't redirect to external resources
23aab97 
fixes #4945

(cherry picked from commit ec7fb82)
nilmerg added a commit that referenced this issue Dec 8, 2022
@nilmerg
login: Don't redirect to external resources
ee43f4a 
fixes #4945

(cherry picked from commit ec7fb82)
@nilmerg nilmerg added this to the 2.11.3 milestone Dec 8, 2022
nilmerg added a commit that referenced this issue Dec 13, 2022
@nilmerg
login: Don't redirect to external resources
1c85680 
fixes #4945

(cherry picked from commit ec7fb82)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nilmerg nilmerg

Labels
area/authentication Affects user authentication or authorization bug Something isn't working
Projects
None yet
Milestone
2.11.3
Development

Successfully merging a pull request may close this issue.

login: Don't redirect to external resources Icinga/icingaweb2
2 participants
@nilmerg @mburring