My site was flagged during daily security scans as allowing an open URL redirect. I've found this issue relates to the Secure Login module. When it is enabled, open redirects are allowed; when disabled a 404 error is shown as expected.

Steps to repeat the issue:

1. Install Secure Login on site
2. Go to http://example.com/?q=http://google.com
3. You will be taken to Google (BAD!)

This is a potentially major security hole, especially for sites needing to conform to McAfee Secure PCI compliance.

CommentFileSizeAuthor
#2 openredirect-1692976.patch584 bytesIgnigena
#1 openredirect-1692976.patch568 bytesIgnigena
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Ignigena’s picture

Ignigena CreditAttribution: Ignigena commented
Status: Active » Needs review
FileSize
openredirect-1692976.patch568 bytes

Patch attached. Issue was located in the securelogin_secure_redirect() function where no verification was done on $_GET['q'] to make sure it was redirecting to the same domain.

I added simple host match verifying on $_GET['q'] to ensure the redirection is done on the same host as the Drupal base_url.

After this patch is added open redirects are no longer an issue and instead show a 404 error as expected.

Don't use this patch ... I made a dumb mistake and forgot a in important piece of code ... see the patch in the next comment.

Ignigena’s picture

Ignigena CreditAttribution: Ignigena commented
FileSize
openredirect-1692976.patch584 bytes

Made a dumb mistake and neglected to include an important piece of code in the patch. See the updated and fixed patch below.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
CreditAttribution: greggles commented
Status: Needs review » Closed (fixed)

@Ignigena - in the future please be sure to report security issues following the process at http://drupal.org/node/101494

This is fixed with http://drupal.org/node/1700594