Full Disclosure mailing list archives
Re: Global Redirect 6.x-1.2 Arbitrary Redirection
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Sun, 23 May 2010 14:33:37 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I totally effed up on this one. It has rightfully been pointed out that this issue was public a *month* ago, and the disclosure was made by folks totally unrelated to Drupal security. Completely my bad. Sincerest apologies to all for my royal fuckup. I should have checked the module issue queue before reporting the issue in the first place! Justin C. Klein Keane http://www.MadIrish.net The digital signature on this e-mail can be verified using the key at http://www.madirish.net/gpgkey On 05/23/2010 08:15 AM, Justin C. Klein Keane wrote:
Details of this vulnerability can also be found at: http://www.madirish.net/?article=460 Description of Vulnerability: ----------------------------- Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Global Redirect module (http://drupal.org/project/globalredirect) is designed to address issues with path aliases in Drupal that could result in user confusion or search engine sandboxing. Unfortunately the Global Redirect does not perform adequate input checking. Systems affected: ----------------- Drupal 6.16 with Global Redirect 6.x-1.2 was tested and shown to be vulnerable. According to (http://drupal.org/project/usage/globalredirect) some 30,000 sites may be affected by this issue. Impact ------ Attackers can provide links to target site that actually redirect users to third party sites. Such tactics are common in phishing and other trust exploitation attacks. For instance, attackers could provide a link to a legitimate site in an e-mail that when clicked on would take the user to an untrusted third party site. Mitigating factors: ------------------- In order to execute the proof of concept described below the attacker must trick a user into clicking on a link with malicious parameters. Proof of Concept: ----------------- Attackers need only provide a link to the target site appended with /index.php?q=[target_url]. For instance, if the site in question were http://172.16.46.129/drupal-6.16, the following link would redirect the user to the Google.com homepage: http://172.16.46.129/drupal-6.16/index.php?q=http://www.google.com Technical Discussion: --------------------- The drupal_goto function (http://api.drupal.org/api/function/drupal_goto) normally restricts redirects to local links utilizing a check on lines 323-327 in includes/common.inc. However, the Global Redirect module does not perform any such checking. If a redirect request is detected in the form of a URL get parameter of 'q' when calling the index page the Global Redirect module forwards the request to the parameter value. Vendor Response: ---------------- In an uncoordinated disclosure, Drupal security decided to handle this issue publicly at http://drupal.org/node/768244. Patch: ------ Applying the following patch mitigates this vulnerability: --- globalredirect/globalredirect.module 2008-12-22 05:34:32.000000000 -0500 +++ globalredirect.fixed/globalredirect.module 2010-05-21 15:26:08.497695637 -0400 @@ -146,7 +146,12 @@ function globalredirect_init() { if ($_REQUEST['q'] != $prefix . $alias) { // If it's not just a slash or user has deslash on, redirect if (str_replace($prefix . $alias, '', $_REQUEST['q']) != '/' || $redirect_slash) { - drupal_goto($alias, $query_string, NULL, 301); + // Do not redirect to an absolute URL originating from user input. + $colonpos = strpos($request, ':'); + $absolute = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($request, 0, $colonpos))); + if (!$absolute) { + drupal_goto($request, $query_string, NULL, 301); + } } }
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkv5dQEACgkQkSlsbLsN1gAFfAb+MghsWPqsmAmU5Ac+U99OT+zV DjE/aM4A9OPHfjrgA4sn8NkG6rHX03JGb9wIKAzM//2B08zyj7C/v/1SnFMZibrp hKVhRKMxJMAA9kV8W0EvF6xnCeQc8jnKVZ2LC9tLlXYdpvF/P0Uq144w/Bi5URpW Qh3JNdfbFUHmguXE3K266yOhnckMGw5vKgANkv6i5KXdsNPGGrz6pM5e/XKHheUT +ybLGxGRIVkggRGZ9KAjkbUY1Pda0QNN/DmIKLh/bccDSaZAIbtX5o7s1usuPvdn NE2O9Dmf9KrzkefuWIo= =u2Xe -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Global Redirect 6.x-1.2 Arbitrary Redirection Justin C. Klein Keane (May 23)
- Re: Global Redirect 6.x-1.2 Arbitrary Redirection Justin C. Klein Keane (May 23)