Describe the bug
It is possible to redirect a user to an attacker owned domain and trick the user. I am investigating on the potential chaining of this bug to perform other attacks.
Expected behavior
Redirection to external urls must not be allowed.
To Reproduce
This occurs at the main login page when the user enters an invalid username/password.
The url gets changed to http://localhost:1501/authentication/login?old=http%3A%2F%2Flocalhost%3A1501%2Fhome
An attacker can change the url(to any attacker owned domain which may mimic submitty interface) to something like localhost:1501/authentication/login?old=http%3A%2F%2Flgoogle.com
and trick redirection to google.com users after they enter their creds.
Additional context
This can be prevented either by-
Adding regex checks on url and whitelisting the url.
Completely removing GET request based url redirection.
I am trying to fix this but thought to create this issue for others to contribute the fix if interested.
The text was updated successfully, but these errors were encountered:
Is there ever a time when we want the php to redirect users to external websites? It seems like automatically redirecting users to external websites is a bad idea anyway. There might be some way in the future where somebody finds a different way to redirect users to an external domain (other than on login) and only putting the check in the login code would not stop that. If we do want to have the ability to allow redirecting to external websites then we don't have a choice, but if we don't ever want to redirect users to external websites, I think it might be better to add that check here which will stop all redirects.
Describe the bug
It is possible to redirect a user to an attacker owned domain and trick the user. I am investigating on the potential chaining of this bug to perform other attacks.
Expected behavior
Redirection to external urls must not be allowed.
To Reproduce
This occurs at the main login page when the user enters an invalid username/password.
The url gets changed to
http://localhost:1501/authentication/login?old=http%3A%2F%2Flocalhost%3A1501%2FhomeAn attacker can change the url(to any attacker owned domain which may mimic submitty interface) to something like
localhost:1501/authentication/login?old=http%3A%2F%2Flgoogle.comand trick redirection to google.com users after they enter their creds.
Additional context
This can be prevented either by-
I am trying to fix this but thought to create this issue for others to contribute the fix if interested.
The text was updated successfully, but these errors were encountered: