-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I totally effed up on this one. It has rightfully been pointed out that this issue was public a *month* ago, and the disclosure was made by folks totally unrelated to Drupal security. Completely my bad. Sincerest apologies to all for my royal fuckup. I should have checked the module issue queue before reporting the issue in the first place!
Justin C. Klein Keane http://www.MadIrish.net The digital signature on this e-mail can be verified using the key at http://www.madirish.net/gpgkey On 05/23/2010 08:15 AM, Justin C. Klein Keane wrote: > Details of this vulnerability can also be found at: > http://www.madirish.net/?article=460 > > Description of Vulnerability: > ----------------------------- > Drupal (http://drupal.org) is a robust content management system (CMS) > written in PHP and MySQL. The Drupal Global Redirect module > (http://drupal.org/project/globalredirect) is designed to address issues > with path aliases in Drupal that could result in user confusion or > search engine sandboxing. Unfortunately the Global Redirect does not > perform adequate input checking. > > Systems affected: > ----------------- > Drupal 6.16 with Global Redirect 6.x-1.2 was tested and shown to be > vulnerable. According to > (http://drupal.org/project/usage/globalredirect) some 30,000 sites may > be affected by this issue. > > Impact > ------ > Attackers can provide links to target site that actually redirect users > to third party sites. Such tactics are common in phishing and other > trust exploitation attacks. For instance, attackers could provide a > link to a legitimate site in an e-mail that when clicked on would take > the user to an untrusted third party site. > > Mitigating factors: > ------------------- > In order to execute the proof of concept described below the attacker > must trick a user into clicking on a link with malicious parameters. > > > Proof of Concept: > ----------------- > Attackers need only provide a link to the target site appended with > /index.php?q=[target_url]. For instance, if the site in question were > http://172.16.46.129/drupal-6.16, the following link would redirect the > user to the Google.com homepage: > > http://172.16.46.129/drupal-6.16/index.php?q=http://www.google.com > > Technical Discussion: > --------------------- > The drupal_goto function > (http://api.drupal.org/api/function/drupal_goto) normally restricts > redirects to local links utilizing a check on lines 323-327 in > includes/common.inc. However, the Global Redirect module does not > perform any such checking. If a redirect request is detected in the > form of a URL get parameter of 'q' when calling the index page the > Global Redirect module forwards the request to the parameter value. > > Vendor Response: > ---------------- > In an uncoordinated disclosure, Drupal security decided to handle this > issue publicly at http://drupal.org/node/768244. > > Patch: > ------ > Applying the following patch mitigates this vulnerability: > --- globalredirect/globalredirect.module 2008-12-22 > 05:34:32.000000000 -0500 > +++ globalredirect.fixed/globalredirect.module 2010-05-21 > 15:26:08.497695637 -0400 > @@ -146,7 +146,12 @@ function globalredirect_init() { > if ($_REQUEST['q'] != $prefix . $alias) { > // If it's not just a slash or user has deslash on, redirect > if (str_replace($prefix . $alias, '', $_REQUEST['q']) != '/' || > $redirect_slash) { > - drupal_goto($alias, $query_string, NULL, 301); > + // Do not redirect to an absolute URL originating from user input. > + $colonpos = strpos($request, ':'); > + $absolute = ($colonpos !== FALSE && > !preg_match('![/?#]!', substr($request, 0, $colonpos))); > + if (!$absolute) { > + drupal_goto($request, $query_string, NULL, 301); > + } > } > } _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iPwEAQECAAYFAkv5dQEACgkQkSlsbLsN1gAFfAb+MghsWPqsmAmU5Ac+U99OT+zV DjE/aM4A9OPHfjrgA4sn8NkG6rHX03JGb9wIKAzM//2B08zyj7C/v/1SnFMZibrp hKVhRKMxJMAA9kV8W0EvF6xnCeQc8jnKVZ2LC9tLlXYdpvF/P0Uq144w/Bi5URpW Qh3JNdfbFUHmguXE3K266yOhnckMGw5vKgANkv6i5KXdsNPGGrz6pM5e/XKHheUT +ybLGxGRIVkggRGZ9KAjkbUY1Pda0QNN/DmIKLh/bccDSaZAIbtX5o7s1usuPvdn NE2O9Dmf9KrzkefuWIo= =u2Xe -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
