lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 23 May 2010 08:15:14 -0400
From: "Justin C. Klein Keane" <justin@...irish.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Global Redirect 6.x-1.2 Arbitrary Redirection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Details of this vulnerability can also be found at:
http://www.madirish.net/?article=460

Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal Global Redirect module
(http://drupal.org/project/globalredirect) is designed to address issues
with path aliases in Drupal that could result in user confusion or
search engine sandboxing.  Unfortunately the Global Redirect does not
perform adequate input checking.

Systems affected:
- -----------------
Drupal 6.16 with Global Redirect 6.x-1.2 was tested and shown to be
vulnerable.  According to
(http://drupal.org/project/usage/globalredirect) some 30,000 sites may
be affected by this issue.

Impact
- ------
Attackers can provide links to target site that actually redirect users
to third party sites.  Such tactics are common in phishing and other
trust exploitation attacks.  For instance, attackers could provide a
link to a legitimate site in an e-mail that when clicked on would take
the user to an untrusted third party site.

Mitigating factors:
- -------------------
In order to execute the proof of concept described below the attacker
must trick a user into clicking on a link with malicious parameters.


Proof of Concept:
- -----------------
Attackers need only provide a link to the target site appended with
/index.php?q=[target_url].  For instance, if the site in question were
http://172.16.46.129/drupal-6.16, the following link would redirect the
user to the Google.com homepage:

http://172.16.46.129/drupal-6.16/index.php?q=http://www.google.com

Technical Discussion:
- ---------------------
The drupal_goto function
(http://api.drupal.org/api/function/drupal_goto) normally restricts
redirects to local links utilizing a check on lines 323-327 in
includes/common.inc.  However, the Global Redirect module does not
perform any such checking.  If a redirect request is detected in the
form of a URL get parameter of 'q' when calling the index page the
Global Redirect module forwards the request to the parameter value.

Vendor Response:
- ----------------
In an uncoordinated disclosure, Drupal security decided to handle this
issue publicly at http://drupal.org/node/768244.

Patch:
- ------
Applying the following patch mitigates this vulnerability:
- --- globalredirect/globalredirect.module        2008-12-22
05:34:32.000000000 -0500
+++ globalredirect.fixed/globalredirect.module  2010-05-21
15:26:08.497695637 -0400
@@ -146,7 +146,12 @@ function globalredirect_init() {
     if ($_REQUEST['q'] != $prefix . $alias) {
       // If it's not just a slash or user has deslash on, redirect
       if (str_replace($prefix . $alias, '', $_REQUEST['q']) != '/' ||
$redirect_slash) {
- -        drupal_goto($alias, $query_string, NULL, 301);
+        // Do not redirect to an absolute URL originating from user input.
+               $colonpos = strpos($request, ':');
+               $absolute = ($colonpos !== FALSE &&
!preg_match('![/?#]!', substr($request, 0, $colonpos)));
+               if (!$absolute) {
+                       drupal_goto($request, $query_string, NULL, 301);
+               }
       }
     }
- -- 
Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this e-mail can be verified using
the key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkv5HFIACgkQkSlsbLsN1gDTEwb+K8BtiYkkw4Lf2kL7bNmou6Lm
3OXOtPYnTPwtT+ILGI7XcI9gnp4GZxHoyqbJc+TKDh+Xq8+o/RgME5XSbS1Gch6z
VJA1REZP4QC5mNBM7blGLe6YhJynDomze0Q4U31M+jp5AIOE0Ws8eZU9VbK8n2v4
HGJ6brifbvoLHjOfUromF9tTnxRANPH1SM8qxgBwFS2O673eKTcVjKqfJ7PEmYpQ
+XKqIyypX/tR/VxrnIfuaj5cT+k9eluNvGoHxJ5rtKblR+4AG964y6ALVvFvfp/w
6K2rGg9sJ9nRSyxfGFU=
=10Du
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists