OPAC Login Redirect To Will Redirect to External Sites
Bug #1908576 reported by
Jason Stephenson
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
High
|
Unassigned | ||
3.10 |
Fix Released
|
High
|
Unassigned | ||
3.8 |
Fix Released
|
High
|
Unassigned | ||
3.9 |
Fix Released
|
High
|
Unassigned |
Bug Description
Evergreen Versions: 3.2.10 and 3.6.1
OpenSRF Versions: N/A
PostgreSQL Version: N/A
Linux Distor: N/A
Similar to bug 1314827, the OPAC login redirect_to paramater can be modified to redirect to an external site if manually manipulated by the user or supplied as a URL.
For a proof of concept, try this on your OPAC installation
/eg/opac/
and see where you end up.
The redirect_to code should likely not follow external links, even when manually supplied by the user.
I'm not sure how exploitable this is, so I'm making this a private security bug pending research/a fix.
Changed in evergreen: | |
assignee: | nobody → Jason Stephenson (jstephenson) |
milestone: | none → 3.7-beta |
no longer affects: | evergreen/3.4 |
tags: | added: pullrequest |
Changed in evergreen: | |
milestone: | 3.11-beta → 3.11.0 |
Changed in evergreen: | |
milestone: | 3.11.0 → 3.11-beta |
status: | Confirmed → Fix Released |
no longer affects: | evergreen/3.6 |
Changed in evergreen: | |
importance: | Undecided → High |
information type: | Private Security → Public Security |
To post a comment you must log in.
I'm removing milestones because I don't think I'll have a fix for this in time.
I also want there to be some discussion of whether or not this is actually a bug. To that end, I'll make this a public bug after the security releases on 1/27/21.