[MAGNOLIA-7167] Open Redirect Vulnerabilities Created: 28/Sep/17  Updated: 15/Jun/21  Resolved: 15/Jun/21

Status: Closed
Project: Magnolia
Component/s: security
Affects Version/s: 5.4.11
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Philipp Bärfuss Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
causality
caused by MAGNOLIA-6043 LoginFilter: Allow dynamic redirects ... Closed
duplicate
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

In MAGNOLIA-5991 the option to do a GET login with additional parameters were removed to avoid malicious links.

But there are valid use cases for redirects after logins and this was addressed in MAGNOLIA-6043 by introducing mglnReturnTo Parameter. The problem with this generic parameter is, that is allows any kind of malicious redirects and also invalidates MAGNOLIA-5991.

Example Link: http://localhost:8080/konto?mgnlReturnTo=http%3A%2F%2Fexample.com%2Fnext

More on the topic: https://www.trustwave.com/Resources/SpiderLabs-Blog/Understanding-and-Discovering-Open-Redirect-Vulnerabilities/

A solution would be to keep the support for mglnReturnTo but maintain a white list of allowed urls and parameter names.



 Comments   
Comment by Federico Grilli [ 15/Jun/21 ]

Solved by MAGNOLIA-7915

Generated at Mon Feb 12 04:21:21 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.