search

Graylog2 / graylog2-server

Free and open log management
https://www.graylog.org
Other
7.37k stars 1.06k forks source link

Open redirection - Security bug #5164

Closed Fadavvi closed 6 years ago

Fadavvi commented 6 years ago

Open redirection {even after successful login} - Security bug

Expected Behavior

Expected to redirect only in graylog pages.

Current Behavior

Crafted URL can redirect users to a untrusted webpages. ( CWE-601 )

Possible Solution

Preventing Unvalidated Redirects and Forwards: Simply avoid using redirects and forwards. If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL. If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user. It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL. Sanitize input by creating a list of trusted URL's (lists of hosts or a regex). Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.

Steps to Reproduce (for bugs)

http://[GraylogWebIU_IP]/login?destination=[AnyLink] For example: 192.168.1.113/login?destination=https://www.google.com

Your Environment

{ from OVA than available in your site} Graylog (GNU/Linux 4.2.0-34-generic x86_64)

dennisoelkers commented 6 years ago

Which version are you referring to? Reproducing this with the most recent OVA (2.4.6) is not possible.

Additionally, the OVAs are clearly labeled to be unsuitable for production and supposed to be used only for testing purposes.

For both reasons I am closing this issue. Feel free to reopen it if you have additional information or consider this decision unjustified.