Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23314
HistoryMar 04, 2010 - 12:00 a.m.

Open redirection vulnerability in the Drupal API function drupal_goto (Drupal 6.15 and 5.21)

2010-03-0400:00:00
vulners.com
64
JSON

Open redirection vulnerability in the Drupal API function drupal_goto
(Drupal 6.15 and 5.21)

Discovered by Martin Barbella <[email protected]>

Description of Vulnerability:

Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website (http://drupal.org/about&#41;.

The drupal_goto API function is meant to "send the user to a different
Drupal page. This issues an on-site HTTP redirect. The function makes
sure the redirected URL is formatted correctly"
(http://api.drupal.org/api/function/drupal_goto&#41;.

This function will also check $_REQUEST['destination'] and
$_REQUEST['edit']['destination'], and if either of these variables are
set, will override any specified path with the path element of the
associative array returned when passing either request variable
through parse_url.

When a URL such as
"trickparseurl:http://cwe.mitre.org/data/definitions/601.html&quot; is
passed to PHP's parse_url function, it will return:

array(2) {
["scheme"]=>
string(13) "trickparseurl"
["path"]=>
string(46) "http://cwe.mitre.org/data/definitions/601.html&quot;
}

This causes the Drupal API function url to treat what is meant to be a
relative path as an external URL, which a user would then be
redirected to. It is important to note that using a destination such
as "http://example.com/&quot; would not result in an external redirect on
its own.

Systems affected:

This issue has been corrected in Drupal 6.16 and 5.22. Earlier
versions are affected.

Impact:

This API function is called by many of Drupal's core modules, as well
as various contributed modules. It affects form handlers, including
the login form handler, so almost all Drupal sites would be affected
by this.

Open redirection vulnerabilities can be exploited by attackers
attempting phishing scams to give their attempts a more trustworthy
appearance.

Mitigating factors:

The path is parsed by the Drupal API url function, which will check
that the protocols of URLs it determines to be external are among a
set of approved protocols. This prevents redirection to URLs with
protocols such as data: or javascript:.

Proof of concept:

  1. Install Drupal 5.22 or 6.15
  2. Visit
    http://site/?q=user/login&amp;destination=trickparseurl:http://cwe.mitre.org/data/definitions/601.html
  3. Log in with valid credentials, as the redirect will only happen on
    a successful login (otherwise, a login failed error will be displayed)
  4. Note that you will be redirected to the CWE page on open
    redirection vulnerabilities

Solution:

Upgrade to one of the latest versions of Drupal (6.16 or 5.22).

Timeline:

2010-02-17 - Drupal Security notified
2010-02-18 - Response from Drupal Security
2010-03-03 - Drupal 6.16 and 5.22 released
2010-03-04 - Public disclosure

JSON