Defect #19577
Updated by Jan from Planio www.plan.io about 9 years ago
h2. Summary
The valid_back_url? method used e.g. after a login to redirect the user
back to where they came from doesn't properly validate passed URLs
resulting in an open redirect vulnerability which can be used for
phishing and other attacks.
After the redirect to the untrusted site, phishers may then steal the
user’s credentials and then use these credentials to access the
legitimate web site. Because the server name in the modified link is
identical to the original site, phishing attempts have a more
trustworthy appearance.
h2. Description
When redirecting the user back after a successful login,
redirect_back_or_default is trying to validate the passed URL to ensure
that the target of the HTTP 302 redirect is valid.
However, the valid_back_url? method used to validate the URL doesn't
take some cases into account which can result in a redirect to an
arbitrarily chosen host.
Example exploit:
http : // redmine. example. com/login? back_url=@attacker. com
This URL results in a redirect to
http : // redmine. example. com @attacker. com
which results in a request to http : // attacker. com with
redmine. example. com passed as a basic auth user.
h2. Credits
This issue was discovered by Yassine ABOUKIR of
http://yassineaboukir.com/. The patch was developed by Holger Just of
Planio.
h2. Solution
The attached patch fixes this vulnerability. It adapts the
valid_back_url? method to a method called validate_back_url which
returns the validated and cleaned up URL which can be used by the
redirect method.
The patch cleanly applies against the current trunk as well as previous
Redmine versions (including 2.5, 2.6, and 3.0)