Closed Fadavvi closed 6 years ago
Which version are you referring to? Reproducing this with the most recent OVA (2.4.6) is not possible.
Additionally, the OVAs are clearly labeled to be unsuitable for production and supposed to be used only for testing purposes.
For both reasons I am closing this issue. Feel free to reopen it if you have additional information or consider this decision unjustified.
Open redirection {even after successful login} - Security bug
Expected Behavior
Expected to redirect only in graylog pages.
Current Behavior
Crafted URL can redirect users to a untrusted webpages. ( CWE-601 )
Possible Solution
Preventing Unvalidated Redirects and Forwards: Simply avoid using redirects and forwards. If used, do not allow the url as user input for the destination. This can usually be done. In this case, you should have a method to validate URL. If user input can’t be avoided, ensure that the supplied value is valid, appropriate for the application, and is authorized for the user. It is recommended that any such destination input be mapped to a value, rather than the actual URL or portion of the URL, and that server side code translate this value to the target URL. Sanitize input by creating a list of trusted URL's (lists of hosts or a regex). Force all redirects to first go through a page notifying users that they are going off of your site, and have them click a link to confirm.
Steps to Reproduce (for bugs)
http://[GraylogWebIU_IP]/login?destination=[AnyLink] For example: 192.168.1.113/login?destination=https://www.google.com
Your Environment
{ from OVA than available in your site} Graylog (GNU/Linux 4.2.0-34-generic x86_64)