lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1e85415f1003040706w43cb70e7x46c178dbe1c27beb@mail.gmail.com>
Date: Thu, 4 Mar 2010 10:06:07 -0500
From: Martin Barbella <martybarbella@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Open redirection vulnerability in the Drupal API function drupal_goto 
	(Drupal 6.15 and 5.21)

Open redirection vulnerability in the Drupal API function drupal_goto
(Drupal 6.15 and 5.21)

Discovered by Martin Barbella <martybarbella@...il.com>

Description of Vulnerability:
-----------------------------
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website (http://drupal.org/about).

The drupal_goto API function is meant to "send the user to a different
Drupal page. This issues an on-site HTTP redirect. The function makes
sure the redirected URL is formatted correctly"
(http://api.drupal.org/api/function/drupal_goto).

This function will also check $_REQUEST['destination'] and
$_REQUEST['edit']['destination'], and if either of these variables are
set, will override any specified path with the path element of the
associative array returned when passing either request variable
through parse_url.

When a URL such as
"trickparseurl:http://cwe.mitre.org/data/definitions/601.html" is
passed to PHP's parse_url function, it will return:

array(2) {
  ["scheme"]=>
  string(13) "trickparseurl"
  ["path"]=>
  string(46) "http://cwe.mitre.org/data/definitions/601.html"
}

This causes the Drupal API function url to treat what is meant to be a
relative path as an external URL, which a user would then be
redirected to. It is important to note that using a destination such
as "http://example.com/" would not result in an external redirect on
its own.

Systems affected:
-----------------
This issue has been corrected in Drupal 6.16 and 5.22. Earlier
versions are affected.

Impact:
-------
This API function is called by many of Drupal's core modules, as well
as various contributed modules. It affects form handlers, including
the login form handler, so almost all Drupal sites would be affected
by this.

Open redirection vulnerabilities can be exploited by attackers
attempting phishing scams to give their attempts a more trustworthy
appearance.

Mitigating factors:
-------------------
The path is parsed by the Drupal API url function, which will check
that the protocols of URLs it determines to be external are among a
set of approved protocols. This prevents redirection to URLs with
protocols such as data: or javascript:.

Proof of concept:
-----------------
1. Install Drupal 5.22 or 6.15
2. Visit http://site/?q=user/login&destination=trickparseurl:http://cwe.mitre.org/data/definitions/601.html
3. Log in with valid credentials, as the redirect will only happen on
a successful login (otherwise, a login failed error will be displayed)
4. Note that you will be redirected to the CWE page on open
redirection vulnerabilities

Solution:
---------
Upgrade to one of the latest versions of Drupal (6.16 or 5.22).

Timeline:
---------
2010-02-17 - Drupal Security notified
2010-02-18 - Response from Drupal Security
2010-03-03 - Drupal 6.16 and 5.22 released
2010-03-04 - Public disclosure

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ