Evergreen

OPAC Login Redirect To Will Redirect to External Sites

Bug #1908576 reported by Jason Stephenson on 2020-12-17

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Evergreen	Fix Released	High	Unassigned	Evergreen 3.11-beta
3.10	Fix Released	High	Unassigned	Evergreen 3.10.3
3.8	Fix Released	High	Unassigned	Evergreen 3.8.4
3.9	Fix Released	High	Unassigned	Evergreen 3.9.3

Bug Description

Evergreen Versions: 3.2.10 and 3.6.1
OpenSRF Versions: N/A
PostgreSQL Version: N/A
Linux Distor: N/A

Similar to bug 1314827, the OPAC login redirect_to paramater can be modified to redirect to an external site if manually manipulated by the user or supplied as a URL.

For a proof of concept, try this on your OPAC installation

/eg/opac/login?redirect_to=https://www.google.com/

and see where you end up.

The redirect_to code should likely not follow external links, even when manually supplied by the user.

I'm not sure how exploitable this is, so I'm making this a private security bug pending research/a fix.

Tags:

Jason Stephenson (jstephenson) on 2020-12-18

Changed in evergreen:
assignee:	nobody → Jason Stephenson (jstephenson)
milestone:	none → 3.7-beta

Revision history for this message

Jason Stephenson (jstephenson) wrote on 2021-01-05:

I'm removing milestones because I don't think I'll have a fix for this in time.

I also want there to be some discussion of whether or not this is actually a bug. To that end, I'll make this a public bug after the security releases on 1/27/21.

Changed in evergreen:
milestone:	3.7-beta → 3.next
milestone:	3.next → none

Revision history for this message

Jason Stephenson (jstephenson) wrote on 2021-02-25:

I'm starting to think that this may be a feature and not a bug, as a site could allow you to log in to the OPAC and then redirect you back, but I'm not sure what the utility of such a feature is.

Changed in evergreen:
assignee:	Jason Stephenson (jstephenson) → nobody
tags:	added: needsdiscussion

Jason Stephenson (jstephenson) on 2021-03-22

no longer affects:

evergreen/3.4

Revision history for this message

Jason Stephenson (jstephenson) wrote on 2021-09-13:

This turned up in a PCI DSS audit of our site, so I'm inclined to say it's a bug. Does an external 3rd party finding it count for marking a bug confirmed?

Revision history for this message

Jason Stephenson (jstephenson) wrote on 2021-09-22 (last edit on 2021-09-22):

I'm setting this to confirmed because it was picked up in a scan conducted by SecurityMetrics:

The web application accepts a parameter value that allows redirects to unrestricted locations.

The remote web application contains functionality to redirect to a specific URL. Thisfun ctionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end user into believing that a malicious URL they were redirected to is valid.

Parameters that are used to dynamically redirect must be restricted to paths within the application. If relative paths are accepted, the base path should be explicitly prepended.

The following parameters are vulnerable to open redirects : /eg/opac/temp_warn/postredirect_to

no longer affects:	evergreen/3.5
Changed in evergreen:
status:	New → Confirmed

Revision history for this message

Mike Rylander (mrylander) wrote on 2022-12-15:

I've pushed a branch to the security repo at security/user/miker/lp-1908576-restrict-login-redirect that implements a domain-based redirect restriction. From the commit message:

This commit implements a new global flag: opac.login_redirect_domains

When this flag is enabled (default), redirection from login via redirect_to will be restricted to local URLs. For local URLs, they must either start with a / (provide an absolute path) or the hostname in the URL must match the current hostname and have a scheme of http, https, ftp, or ftps.

The value for the global flag can be set to a list of comma-separated domain names. Redirection to these domains, and subdomains/hosts thereof, will also be allowed. For all non-local URLs allowed by the global flag value, the scheme must be one of http, https, ftp, or ftps.

Mike Rylander (mrylander) on 2022-12-15

tags:

added: pullrequest

Revision history for this message

Jason Stephenson (jstephenson) wrote on 2022-12-22:

I have tested Mike's branch, and it works for me. I've pushed a signed off branch to security/user/dyrcona/lp-1908576-restrict-login-redirect-signoff.

Thanks, Mike!

tags:

added: signedoff

Revision history for this message

Jason Stephenson (jstephenson) wrote on 2022-12-27:

Just adding that this branch needs a release note and the new global flag requires documentation.

tags:

added: needsreleasenote
removed: needsdiscussion

Revision history for this message

Mike Rylander (mrylander) wrote on 2023-02-21:

I've pushed a rebased branch with release notes to: security/user/miker/lp-1908576-restrict-login-redirect-signoff-rebase

tags:	removed: needsreleasenote
Changed in evergreen:
milestone:	none → 3.11-beta

Evergreen Bug Maintenance (bugmaster) on 2023-05-18

Changed in evergreen:
milestone:	3.11-beta → 3.11.0

Galen Charlton (gmc) on 2023-05-18

Changed in evergreen:
milestone:	3.11.0 → 3.11-beta
status:	Confirmed → Fix Released
no longer affects:	evergreen/3.6
Changed in evergreen:
importance:	Undecided → High
information type:	Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.