Defect #19577

Updated by Jan from Planio over 6 years ago

h2. Summary

The valid_back_url? method used e.g. after a login to redirect the user
back to where they came from doesn't properly validate passed URLs
resulting in an open redirect vulnerability which can be used for
phishing and other attacks.

After the redirect to the untrusted site, phishers may then steal the
user’s credentials and then use these credentials to access the
legitimate web site. Because the server name in the modified link is
identical to the original site, phishing attempts have a more
trustworthy appearance.

h2. Description

When redirecting the user back after a successful login,
redirect_back_or_default is trying to validate the passed URL to ensure
that the target of the HTTP 302 redirect is valid.

However, the valid_back_url? method used to validate the URL doesn't
take some cases into account which can result in a redirect to an
arbitrarily chosen host.

Example exploit:

http : // redmine. example. com/login? back_url=@attacker. com

This URL results in a redirect to

http : // redmine. example. com @attacker. com

which results in a request to http : // attacker. com with
redmine. example. com passed as a basic auth user.

h2. Credits

This issue was discovered by Yassine ABOUKIR of The patch was developed by Holger Just of

h2. Solution

The attached patch fixes this vulnerability. It adapts the
valid_back_url? method to a method called validate_back_url which
returns the validated and cleaned up URL which can be used by the
redirect method.

The patch cleanly applies against the current trunk as well as previous
Redmine versions (including 2.5, 2.6, and 3.0)