[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Global Redirect 6.x-1.2 Arbitrary Redirection
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Global Redirect 6.x-1.2 Arbitrary Redirection
- From: "Justin C. Klein Keane" <justin@xxxxxxxxxxxx>
- Date: Sun, 23 May 2010 14:33:37 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I totally effed up on this one. It has rightfully been pointed out that
this issue was public a *month* ago, and the disclosure was made by
folks totally unrelated to Drupal security. Completely my bad.
Sincerest apologies to all for my royal fuckup. I should have checked
the module issue queue before reporting the issue in the first place!
Justin C. Klein Keane
http://www.MadIrish.net
The digital signature on this e-mail can be verified using
the key at http://www.madirish.net/gpgkey
On 05/23/2010 08:15 AM, Justin C. Klein Keane wrote:
> Details of this vulnerability can also be found at:
> http://www.madirish.net/?article=460
>
> Description of Vulnerability:
> -----------------------------
> Drupal (http://drupal.org) is a robust content management system (CMS)
> written in PHP and MySQL. The Drupal Global Redirect module
> (http://drupal.org/project/globalredirect) is designed to address issues
> with path aliases in Drupal that could result in user confusion or
> search engine sandboxing. Unfortunately the Global Redirect does not
> perform adequate input checking.
>
> Systems affected:
> -----------------
> Drupal 6.16 with Global Redirect 6.x-1.2 was tested and shown to be
> vulnerable. According to
> (http://drupal.org/project/usage/globalredirect) some 30,000 sites may
> be affected by this issue.
>
> Impact
> ------
> Attackers can provide links to target site that actually redirect users
> to third party sites. Such tactics are common in phishing and other
> trust exploitation attacks. For instance, attackers could provide a
> link to a legitimate site in an e-mail that when clicked on would take
> the user to an untrusted third party site.
>
> Mitigating factors:
> -------------------
> In order to execute the proof of concept described below the attacker
> must trick a user into clicking on a link with malicious parameters.
>
>
> Proof of Concept:
> -----------------
> Attackers need only provide a link to the target site appended with
> /index.php?q=[target_url]. For instance, if the site in question were
> http://172.16.46.129/drupal-6.16, the following link would redirect the
> user to the Google.com homepage:
>
> http://172.16.46.129/drupal-6.16/index.php?q=http://www.google.com
>
> Technical Discussion:
> ---------------------
> The drupal_goto function
> (http://api.drupal.org/api/function/drupal_goto) normally restricts
> redirects to local links utilizing a check on lines 323-327 in
> includes/common.inc. However, the Global Redirect module does not
> perform any such checking. If a redirect request is detected in the
> form of a URL get parameter of 'q' when calling the index page the
> Global Redirect module forwards the request to the parameter value.
>
> Vendor Response:
> ----------------
> In an uncoordinated disclosure, Drupal security decided to handle this
> issue publicly at http://drupal.org/node/768244.
>
> Patch:
> ------
> Applying the following patch mitigates this vulnerability:
> --- globalredirect/globalredirect.module 2008-12-22
> 05:34:32.000000000 -0500
> +++ globalredirect.fixed/globalredirect.module 2010-05-21
> 15:26:08.497695637 -0400
> @@ -146,7 +146,12 @@ function globalredirect_init() {
> if ($_REQUEST['q'] != $prefix . $alias) {
> // If it's not just a slash or user has deslash on, redirect
> if (str_replace($prefix . $alias, '', $_REQUEST['q']) != '/' ||
> $redirect_slash) {
> - drupal_goto($alias, $query_string, NULL, 301);
> + // Do not redirect to an absolute URL originating from user input.
> + $colonpos = strpos($request, ':');
> + $absolute = ($colonpos !== FALSE &&
> !preg_match('![/?#]!', substr($request, 0, $colonpos)));
> + if (!$absolute) {
> + drupal_goto($request, $query_string, NULL, 301);
> + }
> }
> }
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iPwEAQECAAYFAkv5dQEACgkQkSlsbLsN1gAFfAb+MghsWPqsmAmU5Ac+U99OT+zV
DjE/aM4A9OPHfjrgA4sn8NkG6rHX03JGb9wIKAzM//2B08zyj7C/v/1SnFMZibrp
hKVhRKMxJMAA9kV8W0EvF6xnCeQc8jnKVZ2LC9tLlXYdpvF/P0Uq144w/Bi5URpW
Qh3JNdfbFUHmguXE3K266yOhnckMGw5vKgANkv6i5KXdsNPGGrz6pM5e/XKHheUT
+ybLGxGRIVkggRGZ9KAjkbUY1Pda0QNN/DmIKLh/bccDSaZAIbtX5o7s1usuPvdn
NE2O9Dmf9KrzkefuWIo=
=u2Xe
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/