Actions
Bug #11105
closedSecurity issue: Redirect-Secret can be set by anyone
Start date:
11/23/2022
Due date:
% Done:
100%
Estimated time:
Description
WApplication::encodeUntrustedUrl
relies on a secret in WebController
(redirectSecret_
). This is normally randomly generated.
However, a fix for issue #4207 introduced a regression here. We will overwrite redirectSecret_
with whatever is found in the Redirect-Secret
header, allowing anyone to reassign this variable.
There's also a concurrency issue: many different sessions may concurrently write to redirectSecret_
. In fact, I stumbled upon this when running a Wt build with -fsanitize=thread
(when looking into issue #11101).
To address this:
- Make assignment to
redirectSecret_
atomic - Only look at the header if we're behind a (trusted) reverse proxy
- Discard any such header before passing it on to the downstream session process
- Rename the header to something like
X-Wt-Redirect-Secret
to indicate that it is non-standard
Updated by Roel Standaert about 2 years ago
The vulnerabilities are:
- potential crashes (DoS) by repeatedly changing the
Redirect-Secret
token (concurrent modifications leading to segmentation faults, and interfering with external links) - by setting
Redirect-Secret
to a token that the attacker knows, an open redirect URL can be created: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html- Side note: the hash is created with MD5 with a secret of 32 alphanumeric characters (with capital letters, 62 possibilities), even though it is only MD5, brute forcing it doesn't seem very feasible
Updated by Roel Standaert about 2 years ago
- Status changed from New to InProgress
- Assignee set to Roel Standaert
Updated by Roel Standaert about 2 years ago
- Status changed from InProgress to Review
- Assignee changed from Roel Standaert to Korneel Dumon
Updated by Roel Standaert about 2 years ago
- Status changed from Review to Resolved
Updated by Roel Standaert about 2 years ago
- Assignee changed from Korneel Dumon to Roel Standaert
Updated by Roel Standaert about 2 years ago
- Target version changed from 4.9.0 to 4.8.3
Updated by Roel Standaert about 2 years ago
- Status changed from Resolved to Closed
Actions