Bareos Bug Tracker
Bareos Bug Tracker

View Issue Details Jump to Notes ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000781bareos-core[All Projects] webuipublic2017-02-09 14:482017-06-08 16:49
Reporterehuggett 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version16.2.4 
Target VersionFixed in Version16.2.6 
Summary0000781: Login will redirect to arbitrary urls from req parameter
DescriptionWhen a session times out the user is redirected to the login form with the path to the requested page as a URL parameter. For example, a request for the dashboard without a valid session will redirect the user to:-

https://[hostname]/bareos-webui/auth/login?req=/bareos-webui/dashboard/ [^]

I changed the value of the req parameter to https://www.google.com [^] (url encoded):

https://[hostname]/bareos-webui/auth/login?req=https%3A%2F%2Fwww.google.com [^]

And when I logged in I was redirected to https://www.google.com [^] .

As the redirect is done in the "Location" header of the HTTP Response I did attempt to inject headers into the HTTP response, but it seems including URL encoded carriage returns (fortunately) results in a HTTP status code of 500 with no location header or injected header returned.

A user with a valid session enticed to use such a link is not redirected to the value of the req parameter and instead appears to always be returned to the dashboard.

I have done nothing further to look into this behaviour, but I would suggest that it is undesirable and perhaps someone with more time could check for other potential misuse of this parameter? (for example, if combined with issue 0000732 does this result in a job being run? etc)
TagsNo tags attached.
bareos-master: impactyes
bareos-master: actionfixed
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impactyes
bareos-16.2: actionfixed
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action
Attached Files

- Relationships
child of 0000794closedstephand Release bareos-16.2.6 

-  Notes
(0002609)
frank (manager)
2017-03-16 16:30

Fix committed to bareos-webui bareos-16.2 branch with changesetid 6920.

- Related Changesets
bareos-webui: bareos-16.2 455f6b5c
Timestamp: 2017-03-16 16:10:48
Author: frank
Ported: N/A
Details ] Diff ]
Fix to bugreport 0000781

Check if request URI matches against registered Router
to prevent injected arbitrary uri redirects.

Fixes 0000781: Login will redirect to arbitrary urls from req parameter
mod - module/Auth/src/Auth/Controller/AuthController.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2017-02-09 14:48 ehuggett New Issue
2017-03-02 13:26 frank Assigned To => frank
2017-03-02 13:26 frank Status new => assigned
2017-03-16 16:19 frank Status assigned => confirmed
2017-03-16 16:30 frank Changeset attached => bareos-webui bareos-16.2 455f6b5c
2017-03-16 16:30 frank Note Added: 0002609
2017-03-16 16:30 frank Status confirmed => resolved
2017-03-16 16:30 frank Resolution open => fixed
2017-03-16 16:31 frank bareos-master: impact => yes
2017-03-16 16:31 frank bareos-master: action => fixed
2017-03-16 16:31 frank bareos-16.2: impact => yes
2017-03-16 16:31 frank bareos-16.2: action => fixed
2017-03-16 16:31 frank Status resolved => closed
2017-03-16 16:31 frank Assigned To frank =>
2017-06-08 16:48 frank Fixed in Version => 16.2.6
2017-06-08 16:49 frank Relationship added child of 0000794


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker