Fork me on GitHub
Subscribe 4

Ticket #961 (fixed bug)

Open Redirection Vulnerability

  • Created: 2014-04-01 21:34:29
  • Reported by: xtster
  • Assigned to: adaur
  • Milestone: 1.5.7
  • Component: security
  • Priority: high

Title: Open Redirection

"This vulnerability affects all fluxbb forum software, this happens because 'redirect_url' doesn't get filtered for external site link and hence redirect to attacker site"

Raw Request:

POST /forums/login.php?action=in
Host: fluxbb[dot]org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: fluxbb[dot]org/forums/login.php
Cookie: flux_lang=en; __utma=243298002.1627221749.1396387514.1396387514.1396387514.1; __utmb=243298002.11.10.1396387514; __utmc=243298002; __utmz=243298002.1396387514.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); flux_cookie=**************; flux_cookie_track=t7574%3D********%3B
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 97

form_sent=1&redirect_url=evil[dot]com&req_username=***&req_password=****&login=Login


as this request get processed, user get redirected to specified site i.e, evil[dot]com here.




Shubham Raj
twitter.com/xceptioncode

History

xtster 2014-04-02 20:05:55

  • Visibility set to public.

quy 2014-04-02 20:17:10

  • Visibility set to private.

Franz 2014-04-03 18:27:34

  • Milestone set to 1.5.7.

Thank you very much for notifying us! I probably won't be able to make a release before April 15, as I'm traveling right now and have very limited time.

This seems to be similar to ticket #875.

xtster 2014-04-03 19:51:29

Well, i was not aware that it is already reported. Yes, both seems quite similar except affected page and as it affect login page - it could have more significant impact.

Anyway, would probably report other vulnerabilities soon smile

BTW, does FluxBB publicly acknowledge vulnerability report and reporter?

adaur 2014-04-03 20:01:01

When the vulnerabilty is fixed, yes.

https://fluxbb.org/forums/viewtopic.php?id=7513

"I want to thank Andrew Story for reporting the vulnerability and cooperating in a quite supportive and quick manner."

By the way, I had already reported this...
https://fluxbb.org/development/core/tic … 272tz16186

Comment edited 1 times (Diff)

xtster 2014-04-03 20:08:09

Okay, thanks wink)

adaur 2014-08-10 20:40:08

  • Owner set to adaur.

Commits are waiting

xtster 2014-08-11 11:45:52

Yes, waiting for updates as well..

adaur 2014-08-11 11:50:48

Can you test my pull and confirm it works for you?

https://github.com/fluxbb/fluxbb/pull/116/files

adaur 2014-10-18 11:01:36

Commit 0a9768c to fluxbb master

#961: Do not rely on $_POST['redirect_url'].

Franz 2014-10-18 14:21:42

Commit 6f1a5cc to fluxbb master

#961: Refactor code - create a new validate_redirect() function.

Franz 2014-10-18 14:53:56

  • Status changed from open to fixed.

Fixed now. There was a little bug in your patch, adaur - you used $_SERVER['HTTP_REFERER'] instead of the value from $_POST after validating the latter.

adaur 2014-10-18 15:43:06

Thank you. I'm truly sorry, I have another year of hard work ahead of me, then I'll be able to be more active again.

Franz 2014-10-18 18:15:24

No problem. Thanks for the patch!

Franz 2014-10-20 12:05:36

  • Visibility set to public.