Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open Redirection Vulnerability #731

Closed
niphlod opened this issue Jan 26, 2015 · 6 comments
Closed

Open Redirection Vulnerability #731

niphlod opened this issue Jan 26, 2015 · 6 comments

Comments

@niphlod
Copy link
Member

niphlod commented Jan 26, 2015

From bhati.fe..._at_gmail.com on October 01, 2014 06:46:01

Issue - Open Redirection TO Any Domain
Dependency - For Successful Redirection We Need Administration Password
Only Unauthenticated Users Are Affected , If an user is already authenticated on web2py then he will not get redirec , Apart from this , Users who are non authenticated like "End Users" Will get redirection successfully"

Severity - Medium ( According To Me ) =D Correct me if i am wrong
Tested On - Web2py Tester Version From Official Site
Reported By - Narendra Bhati

Here i have tested this issue on Tested version provided by Web2py Official Site What steps will reproduce the problem? 1. http://127.0.0.1:8000/admin/default/index?password=sumasoft123&send=http%3A%2F%2Fgoogle.com
( successful redirection tested on "Tester" Version Of Web2py Latest Version)
2. Replace the password parameter value to your administration password
3. After replacing the valid password enter any domain and you will ger redirected What is the expected output? What do you see instead? What version of the product are you using? On what operating system? Please provide any additional information below.

Original issue: http://code.google.com/p/web2py/issues/detail?id=1992

@niphlod
Copy link
Member Author

niphlod commented Jan 26, 2015

From bhati.fe..._at_gmail.com on September 30, 2014 21:53:11

Sorry i forget to mention other information , Here it is

What is the expected output? What do you see instead?

Expected out is to prevent users to redirect to other domain , But
Instead of preventing the user to redirect to other domain , it is actually allowing me to redirect to any external domain

What version of the product are you using? On what operating system?
Web2py - Version 2.9.11

Please provide any additional information below.
OS- Windows 8
Browser - Mozilla , Chrome ( Updated )

@niphlod
Copy link
Member Author

niphlod commented Jan 26, 2015

From bhati.fe..._at_gmail.com on October 17, 2014 03:48:38

More update on this issue
Below mention open redirection is depend on admin crdentials
But this URl can redirect users to external domain without need of any credentials

http://127.0.0.1:8000/user/logout?_next=http://attacker.com

this is the clear open redirection vulnerability which i found recently

@imnarendrabhati
Copy link

Any acknowledgement for reporting this ?

@niphlod
Copy link
Member Author

niphlod commented Jan 29, 2015

would it be enough to check for "http(s)" in _next and not redirecting at all in case it's found ?

@niphlod
Copy link
Member Author

niphlod commented Jan 29, 2015

actually, there's a whole machinery to prevent open redirections in login() but not on logout(). we should extend that machinery to logout() too.

@BuhtigithuB
Copy link
Contributor

And by the way, why not making it reusable for user to help them managing
flow in app without having to revinvent the wheel and create security hole
as I am doing right now :D

On Thu, Jan 29, 2015 at 4:08 PM, niphlod notifications@github.com wrote:

actually, there's a whole machinery to prevent open redirections in
login() but not on logout(). we should extend that machinery to logout()
too.


Reply to this email directly or view it on GitHub
#731 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants