Closed (duplicate)
Project:
Global Redirect
Version:
6.x-1.2
Component:
Code
Priority:
Major
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
1 Dec 2010 at 20:26 UTC
Updated:
23 Jun 2011 at 17:29 UTC
Hello folks
A customer requested to remove an apparently security issue, caused by globalredirect in the way it handles the request to translate node/xx to the human URL inside Drupal.
Well this treatment generates a problem with requests like this http://www.domain.com/?q=http://domain2.com, redirecting the customer to http://domain.com website.
To avoid this behavior I did a little path for the module file to disable this option and return a page not found.
Please consider enabling this option in next release or enable as configuration value.
Regards,
enzo
| Comment | File | Size | Author |
|---|---|---|---|
| globalredirect-disable-external-url.patch | 655 bytes | -enzo- |
Comments
Comment #1
karengrey commentedI recently found out this security flaw as well and have had to turn off the module to stop it from happening.
I will take a look at your patch to see if it works for me,
This needs to be fixed as its a HUGE security flaw!!
Comment #2
mcrittenden commentedSub.
Comment #3
hoporr commented+1.
This is a pretty serious issue for content spoofing. Please put this patch into the main release.
Comment #4
mlefevre commentedThis seems to be the same issue as #768244: Non-clean to Clean allows external redirect
Comment #5
dave reidYes, this is a duplicate of #768244: Non-clean to Clean allows external redirect.