New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
identification should redirect within Piwigo only #706
Comments
|
@modus75 can you review that please :-) ? For the "forced redirection" (second commit bbb9c5e), here are 4 examples: A) http://localhost/piwigo/git/identification.php?redirect=/piwigo/git/admin.php B) http://localhost/piwigo/git/identification.php?redirect=http://piwigo.org C) https://pierrick.piwigo.com/identification.php?redirect=%252Fadmin.php D) https://pierrick.piwigo.com/identification.php?redirect=http://piwigo.org |
|
Looks OK to me
Le 14 juin 2017 10:28, "Pierrick Le Gall" <notifications@github.com> a
écrit :
… @modus75 <https://github.com/modus75> can you review that?
For the "forced redirection" (second commit bbb9c5e
<bbb9c5e>),
here are 4 examples:
A) http://localhost/piwigo/git/identification.php?redirect=/
piwigo/git/admin.php
{redirect (raw) = /piwigo/git/admin.php}
{get_absolute_root_url = http://localhost/piwigo/git/}
{cookie_path = /piwigo/git/}
{host = http://localhost}
{redirect (final) = http://localhost/piwigo/git/admin.php}
B) http://localhost/piwigo/git/identification.php?redirect=
http://piwigo.org
{redirect (raw) = http://piwigo.org}
{get_absolute_root_url = http://localhost/piwigo/git/}
{cookie_path = /piwigo/git/}
{host = http://localhost}
{redirect (final) = http://localhosthttp://piwigo.org} => that will fail
C) https://pierrick.piwigo.com/identification.php?redirect=%252Fadmin.php
{redirect (raw) = /admin.php}
{get_absolute_root_url = https://pierrick.piwigo.com/}
{cookie_path = /}
{host = https://pierrick.piwigo.com}
{redirect (final) = https://pierrick.piwigo.com/admin.php}
D) https://pierrick.piwigo.com/identification.php?redirect=
http://piwigo.org
{redirect (raw) = http://piwigo.org}
{get_absolute_root_url = https://pierrick.piwigo.com/}
{cookie_path = /}
{host = https://pierrick.piwigo.com}
{redirect (final) = https://pierrick.piwigo.comhttp://piwigo.org} => that will fail too
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#706 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AJRc9vKeV51fXSppF1N8Y8q8UUG2lJGyks5sD5mlgaJpZM4N5h80>
.
|
|
Thank you @modus75 commits merged :-) |
The
$_POST['redirect']system in identification.php can lead to redirect outside Piwigo. On any location actually. To avoid any "open redirect" security issue, Piwigo should make sure the redirection occurs only with Piwigo, not outside.Reported by Eric Fernando Castañeda Nazario
The text was updated successfully, but these errors were encountered: