Howdy all,
In web2py I've noticed a number of methods in gluon/tools.py that
utilize client input to determine site flow:
if next == DEFAULT:
next = request.get_vars._next \
or request.post_vars._next \
or self.settings.login_next
and subsequent
if next and not next[0] == '/' and next[:4] != 'http':
next = self.url(next.replace('[id]', str(form.vars.id)))
redirect(next)
Methods:
AUTH: login , register, retieve_username,
reset_password_deprecated, reset_password,
request_reset_password(retrieve_password), change_password, profile,
CRUD: update, delete
Too me this seems that a malicious individual can abuse the trust of
our site to:
a) trick users into instantiating a CSRF from our site
b) providing information (credentials?) to a phishing site.
I'm sure we can all come up with some simple examples to provide users
links that will redirect to a malicious site upon authentication.
Simple ex: (http://web2py-site/login?_next=http://web2py_site/login)
where the secondary site mimics original and identifies that the
authentication failed, and to reenter id/pw (even though we only get
here after original site auth was success).
Unless I am missing something, the _next flow seems a strange
'default' behaviour for a secure framework.
I'm wondering if the community has input / thoughts on my (perceived?)
_next issue.
Thanks all!!
