Arbitrary redirection vulnerability

This is a security report. However, as the module is in beta designation it is not supported by Drupal security (ref: https://drupal.org/security-advisory-policy). Therefore this report is being made via the public issue queue.

Description of Vulnerability:
-----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal U Create module "allow[s] non-admin users on your site to create new users. The module automatically sends an invite email to new users with login information. " The U Create module (https://drupal.org/project/ucreate) contains an arbitrary redirection vulnerability due to the fact that unchecked URL variables are used to compose link destinations in administrative screens.

Systems affected:
-----------------
Drupal 6.22 with U Create 6.x-1.0-beta4 was tested and shown to be vulnerable

Impact
------
Users could be tricked into viewing links to block site users that contained malicious URL variables. If users followed these links and clicked on the 'Cancel' link to abort blocking the users could be redirected to arbitrary sites. These could potentially be malicious sites hosting malware or posing as legitimate sites (including the target site) to harvest credentials.

Mitigating factors:
-------------------
In order to exploit this vulnerability site users must be tricked into visiting a specific link in their own site and then click on the 'Cancel' link.

Proof of Concept:
-----------------
1. Install and enable the U Create and it's dependent OG (Organic Groups) module
2. Visit the URL ?q=user/[X]/block&destination=http://www.madirish.net where [X] is the uid of a valid site user
3. Click on the 'Cancel' link to be redirected to the MadIrish.net site

Text of this report is also posted at http://www.madirish.net/content/drupal-u-create-6x-10-beta4-arbitrary-re...