Forum OpenACS Development: Security breach in ad_returnredirect! Really?
ad_returnredirect is capable of redirecting users to servers different that the current one. This is apparently considered a security flaw, as the company says that is currently conducting a security analysis of ]project-open[:
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain. The value of the return_url request parameter is used to perform an HTTP redirect.
My proposal: By default prohibit redirection to absolute URLs, unless a specific parameter allows such redirection. What do you think about including this in OpenACS 8.5?
anyhow, in oacs-5-8, the test returns correctly =>1
ad_returnredirect doesn't check the URL parameter for \n line breaks and so allows to modify the header of the response. Here is the explanation:
You can test this behavior on any ]po[ page (for example: http://po40demo.project-open.net/intranet/, email@example.com, passwd=ben). Then enter the URL: /intranet/biz-object-tree-open-close?open%5fp=c&return%5furl=b5a54%0d%0aa882d&object%5fid=29137&page%5furl=default&user%5fid=624
The resulting HTTP response contains:
The problem occurs because ad_returnredirect passes on the %0d and %0a characters to the response header. So sanitizing the return_url this way should be mostly harmless and be a security enhancement for OpenACS 5.8, isn't it?
many thanks for reporting!
however, the "double-fix" in OpenACS fixes the ad_returnredirect case for older versions of NaviServer and AolServer as well.