Ticket #875 (fixed bug)
Redirect URL after email dialog not verified
- Created: 2013-08-03 14:14:33
- Reported by: Franz
- Assigned to: Franz
- Milestone: 1.5.4
- Component: security
- Priority: highest
As described in this vulnerability report, the redirect_url field that is used for sending the user back to where they came from, is not verified properly. This would allow attackers to use misc.php to redirect users to any URL on the internet.
It's sad that they decided to make this public without disclosing it to the developers first...
History
Franz 2013-08-10 20:33:37

Guys, can you please check out this commit? If I would have put some serious thoughts into this, I could have been much quicker in coming up with this, hehe
adaur 2013-08-10 20:45:49

Using Tamper Data, it seems I can still alter "redirect_url" without being warned.
Franz 2013-08-10 21:00:49

Yes, of course, but the point is it cannot be done to you from another site.
Koos 2013-09-23 16:52:08

This is the first time I've seen the confirm_referrer function applied to normal users. It was originally added to protect admins and moderators.
The security report says: "This can be exploited to perform certain actions with administrative privileges". How? I can't see how this is possible.
Franz 2013-09-25 10:01:03

That line isn't true. To be honest, the report wasn't particularly well-researched.