View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000781 | bareos-core | webui | public | 2017-02-09 14:48 | 2017-06-08 16:49 |
| Reporter | ehuggett | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 16.2.4 | ||||
| Fixed in Version | 16.2.6 | ||||
| Summary | 0000781: Login will redirect to arbitrary urls from req parameter | ||||
| Description | When a session times out the user is redirected to the login form with the path to the requested page as a URL parameter. For example, a request for the dashboard without a valid session will redirect the user to:- https://[hostname]/bareos-webui/auth/login?req=/bareos-webui/dashboard/ I changed the value of the req parameter to https://www.google.com (url encoded): https://[hostname]/bareos-webui/auth/login?req=https%3A%2F%2Fwww.google.com And when I logged in I was redirected to https://www.google.com . As the redirect is done in the "Location" header of the HTTP Response I did attempt to inject headers into the HTTP response, but it seems including URL encoded carriage returns (fortunately) results in a HTTP status code of 500 with no location header or injected header returned. A user with a valid session enticed to use such a link is not redirected to the value of the req parameter and instead appears to always be returned to the dashboard. I have done nothing further to look into this behaviour, but I would suggest that it is undesirable and perhaps someone with more time could check for other potential misuse of this parameter? (for example, if combined with issue 0000732 does this result in a job being run? etc) | ||||
| Tags | No tags attached. | ||||
|
bareos-webui: bareos-16.2 455f6b5c 2017-03-16 17:10 Ported: N/A Details Diff |
Fix to bugreport 0000781 Check if request URI matches against registered Router to prevent injected arbitrary uri redirects. Fixes 0000781: Login will redirect to arbitrary urls from req parameter |
Affected Issues 0000781 |
|
| mod - module/Auth/src/Auth/Controller/AuthController.php | Diff File | ||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2017-02-09 14:48 | ehuggett | New Issue | |
| 2017-03-02 13:26 | frank | Assigned To | => frank |
| 2017-03-02 13:26 | frank | Status | new => assigned |
| 2017-03-16 16:19 | frank | Status | assigned => confirmed |
| 2017-03-16 16:30 | frank | Changeset attached | => bareos-webui bareos-16.2 455f6b5c |
| 2017-03-16 16:30 | frank | Note Added: 0002609 | |
| 2017-03-16 16:30 | frank | Status | confirmed => resolved |
| 2017-03-16 16:30 | frank | Resolution | open => fixed |
| 2017-03-16 16:31 | frank | Status | resolved => closed |
| 2017-03-16 16:31 | frank | Assigned To | frank => |
| 2017-06-08 16:48 | frank | Fixed in Version | => 16.2.6 |
| 2017-06-08 16:49 | frank | Relationship added | child of 0000794 |
