Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
My site was flagged during daily security scans as allowing an open URL redirect. I've found this issue relates to the Secure Login module. When it is enabled, open redirects are allowed; when disabled a 404 error is shown as expected.
Steps to repeat the issue:
1. Install Secure Login on site
2. Go to http://example.com/?q=http://google.com
3. You will be taken to Google (BAD!)
This is a potentially major security hole, especially for sites needing to conform to McAfee Secure PCI compliance.
Comment | File | Size | Author |
---|---|---|---|
#2 | openredirect-1692976.patch | 584 bytes | Ignigena |
#1 | openredirect-1692976.patch | 568 bytes | Ignigena |
Comments
Comment #1
Ignigena CreditAttribution: Ignigena commentedPatch attached. Issue was located in the securelogin_secure_redirect() function where no verification was done on $_GET['q'] to make sure it was redirecting to the same domain.
I added simple host match verifying on $_GET['q'] to ensure the redirection is done on the same host as the Drupal base_url.
After this patch is added open redirects are no longer an issue and instead show a 404 error as expected.
Don't use this patch ... I made a dumb mistake and forgot a in important piece of code ... see the patch in the next comment.
Comment #2
Ignigena CreditAttribution: Ignigena commentedMade a dumb mistake and neglected to include an important piece of code in the patch. See the updated and fixed patch below.
Comment #3
greggles@Ignigena - in the future please be sure to report security issues following the process at http://drupal.org/node/101494
This is fixed with http://drupal.org/node/1700594