Fork me on GitHub
Subscribe 3

Ticket #875 (fixed bug)

Redirect URL after email dialog not verified

  • Created: 2013-08-03 14:14:33
  • Reported by: Franz
  • Assigned to: Franz
  • Milestone: 1.5.4
  • Component: security
  • Priority: highest

As described in this vulnerability report, the redirect_url field that is used for sending the user back to where they came from, is not verified properly. This would allow attackers to use misc.php to redirect users to any URL on the internet.

It's sad that they decided to make this public without disclosing it to the developers first...

History

Franz 2013-08-03 14:23:00

I will push the fix for this once I release 1.5.4. Probably tomorrow.

Franz 2013-08-10 20:32:03

Commit e973b9e to fluxbb master

#875: Add an anti-CSRF referrer check to email sending in misc.php.

Franz 2013-08-10 20:33:37

Guys, can you please check out this commit? If I would have put some serious thoughts into this, I could have been much quicker in coming up with this, hehe wink

adaur 2013-08-10 20:45:49

Using Tamper Data, it seems I can still alter "redirect_url" without being warned.

Franz 2013-08-10 21:00:49

Yes, of course, but the point is it cannot be done to you from another site.

adaur 2013-08-10 21:09:24

Sure, sorry about that. In this case, everything is normal.

Franz 2013-08-12 19:47:00

  • Status changed from open to fixed.

The reporter confirmed this as fixed.

Franz 2013-08-14 16:30:09

  • Visibility set to public.

Franz 2013-08-14 16:33:50

Commit 94ed13c to fluxbb fluxbb-1.4

#875: Add an anti-CSRF referrer check to email sending in misc.php.

Koos 2013-09-23 16:52:08

This is the first time I've seen the confirm_referrer function applied to normal users. It was originally added to protect admins and moderators.

The security report says: "This can be exploited to perform certain actions with administrative privileges". How? I can't see how this is possible.

Comment edited 1 times (Diff)

Franz 2013-09-25 10:01:03

That line isn't true. To be honest, the report wasn't particularly well-researched.