Project

General

Profile

Defect #19577

Updated by Jan from Planio www.plan.io over 9 years ago

h2. Summary 

 The valid_back_url? method used e.g. after a login to redirect the user 
 back to where they came from doesn't properly validate passed URLs 
 resulting in an open redirect vulnerability which can be used for 
 phishing and other attacks. 

 After the redirect to the untrusted site, phishers may then steal the 
 user’s credentials and then use these credentials to access the 
 legitimate web site. Because the server name in the modified link is 
 identical to the original site, phishing attempts have a more 
 trustworthy appearance. 

 h2. Description 

 When redirecting the user back after a successful login, 
 redirect_back_or_default is trying to validate the passed URL to ensure 
 that the target of the HTTP 302 redirect is valid. 

 However, the valid_back_url? method used to validate the URL doesn't 
 take some cases into account which can result in a redirect to an 
 arbitrarily chosen host. 

 h2. Credits 

 This issue was discovered by Yassine ABOUKIR    of 
 http://yassineaboukir.com/. The patch was developed by Holger Just of 
 Planio. 

 h2. Solution 

 The attached patch fixes this vulnerability. It adapts the 
 valid_back_url? method to a method called validate_back_url which 
 returns the validated and cleaned up URL which can be used by the 
 redirect method. 

 The patch cleanly applies against the current trunk as well as previous 
 Redmine versions (including 2.5, 2.6, and 3.0) 

Back