View Issue Details

IDProjectCategoryView StatusLast Update
0000781bareos-corewebuipublic2017-06-08 16:49
Reporterehuggett Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version16.2.4 
Fixed in Version16.2.6 
Summary0000781: Login will redirect to arbitrary urls from req parameter
DescriptionWhen a session times out the user is redirected to the login form with the path to the requested page as a URL parameter. For example, a request for the dashboard without a valid session will redirect the user to:-

https://[hostname]/bareos-webui/auth/login?req=/bareos-webui/dashboard/

I changed the value of the req parameter to https://www.google.com (url encoded):

https://[hostname]/bareos-webui/auth/login?req=https%3A%2F%2Fwww.google.com

And when I logged in I was redirected to https://www.google.com .

As the redirect is done in the "Location" header of the HTTP Response I did attempt to inject headers into the HTTP response, but it seems including URL encoded carriage returns (fortunately) results in a HTTP status code of 500 with no location header or injected header returned.

A user with a valid session enticed to use such a link is not redirected to the value of the req parameter and instead appears to always be returned to the dashboard.

I have done nothing further to look into this behaviour, but I would suggest that it is undesirable and perhaps someone with more time could check for other potential misuse of this parameter? (for example, if combined with issue 0000732 does this result in a job being run? etc)
TagsNo tags attached.

Relationships

child of 0000794 closedstephand Release bareos-16.2.6 

Activities

frank

frank

2017-03-16 16:30

developer   ~0002609

Fix committed to bareos-webui bareos-16.2 branch with changesetid 6920.

Related Changesets

bareos-webui: bareos-16.2 455f6b5c

2017-03-16 17:10

frank

Ported: N/A

Details Diff
Fix to bugreport 0000781

Check if request URI matches against registered Router
to prevent injected arbitrary uri redirects.

Fixes 0000781: Login will redirect to arbitrary urls from req parameter
Affected Issues
0000781
mod - module/Auth/src/Auth/Controller/AuthController.php Diff File

Issue History

Date Modified Username Field Change
2017-02-09 14:48 ehuggett New Issue
2017-03-02 13:26 frank Assigned To => frank
2017-03-02 13:26 frank Status new => assigned
2017-03-16 16:19 frank Status assigned => confirmed
2017-03-16 16:30 frank Changeset attached => bareos-webui bareos-16.2 455f6b5c
2017-03-16 16:30 frank Note Added: 0002609
2017-03-16 16:30 frank Status confirmed => resolved
2017-03-16 16:30 frank Resolution open => fixed
2017-03-16 16:31 frank Status resolved => closed
2017-03-16 16:31 frank Assigned To frank =>
2017-06-08 16:48 frank Fixed in Version => 16.2.6
2017-06-08 16:49 frank Relationship added child of 0000794