Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

identification should redirect within Piwigo only #706

Closed
plegall opened this issue Jun 14, 2017 · 3 comments
Closed

identification should redirect within Piwigo only #706

plegall opened this issue Jun 14, 2017 · 3 comments
Assignees
Milestone

Comments

@plegall
Copy link
Member

plegall commented Jun 14, 2017

The $_POST['redirect'] system in identification.php can lead to redirect outside Piwigo. On any location actually. To avoid any "open redirect" security issue, Piwigo should make sure the redirection occurs only with Piwigo, not outside.

Reported by Eric Fernando Castañeda Nazario

@plegall plegall added this to the 2.9.1 milestone Jun 14, 2017
@plegall plegall self-assigned this Jun 14, 2017
@plegall
Copy link
Member Author

plegall commented Jun 14, 2017

@modus75 can you review that please :-) ?

For the "forced redirection" (second commit bbb9c5e), here are 4 examples:

A) http://localhost/piwigo/git/identification.php?redirect=/piwigo/git/admin.php

{redirect (raw) = /piwigo/git/admin.php}
{get_absolute_root_url = http://localhost/piwigo/git/}
{cookie_path = /piwigo/git/}
{host = http://localhost}
{redirect (final) = http://localhost/piwigo/git/admin.php}

B) http://localhost/piwigo/git/identification.php?redirect=http://piwigo.org

{redirect (raw) = http://piwigo.org}
{get_absolute_root_url = http://localhost/piwigo/git/}
{cookie_path = /piwigo/git/}
{host = http://localhost}
{redirect (final) = http://localhosthttp://piwigo.org} => that will fail

C) https://pierrick.piwigo.com/identification.php?redirect=%252Fadmin.php

{redirect (raw) = /admin.php}
{get_absolute_root_url = https://pierrick.piwigo.com/}
{cookie_path = /}
{host = https://pierrick.piwigo.com}
{redirect (final) = https://pierrick.piwigo.com/admin.php}

D) https://pierrick.piwigo.com/identification.php?redirect=http://piwigo.org

{redirect (raw) = http://piwigo.org}
{get_absolute_root_url = https://pierrick.piwigo.com/}
{cookie_path = /}
{host = https://pierrick.piwigo.com}
{redirect (final) = https://pierrick.piwigo.comhttp://piwigo.org} => that will fail too

@modus75
Copy link
Contributor

modus75 commented Jun 14, 2017 via email

@plegall
Copy link
Member Author

plegall commented Jun 14, 2017

Thank you @modus75 commits merged :-)

@plegall plegall closed this as completed Jun 14, 2017
@plegall plegall changed the title [security] identification should redirect within Piwigo only identification should redirect within Piwigo only Jan 15, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants