Re: Redirect to arbitrary host via the Sling Post Servlet

Tue, 03 Mar 2015 01:08:51 -0800 

Great, I provided a patch in https://issues.apache.org/jira/browse/SLING-4469 
<https://issues.apache.org/jira/browse/SLING-4469>.
Would you mind having a look at that?
Thanks,
Konrad

> On 03 Mar 2015, at 08:01, Antonio Sanso <[email protected]> wrote:
> 
> hi Konrad
> On Mar 2, 2015, at 5:55 PM, Konrad Windszus <[email protected]> wrote:
> 
>> Hi,
>> 
>> in https://issues.apache.org/jira/browse/SLING-3141 
>> <https://issues.apache.org/jira/browse/SLING-3141> there was an issue fixed 
>> which made it possible to redirect from a Sling instance to another server 
>> with a forged GET-request (although there was a hop in the middle necessary 
>> which was the Login Form being provided by Sling).
>> 
>> Currently the Sling Post Servlet 
>> (https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305
>>  
>> <https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305>)
>>  does not validate the value being passed for parameter :redirect 
>> (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect
>>  
>> <http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect>).
>>  Although I think it can only be exploited similarly to SLING-3141 in case 
>> there is vulnerability also in the script rendering the form, it should 
>> still not be allowed to pass arbitrary hosts IMHO. I think the same 
>> restrictions as for resources in the Sling Authenticators make sense here. 
>> For that we could leverage the method AuthUtil.isRedirectValid 
>> (https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451
>>  
>> <https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451>),
>>  although one probably needs to move that method somewhere else to prevent a 
>> direct dependency from Sling Servlets Post Bundle to the Sling Auth Core 
>> Bundle 
>> 
>> WDYT?
>> 
>> In case you agree I would create a JIRA issue for that and try to come up 
>> with a fix.
> 
> it sounds like a plan :)
> 
> regards
> 
> antonio
> 
>> Thanks,
>> Konrad
>

Reply via email to