SA-CONTRIB-2012-103 - Global Redirect - Open Redirect

• Advisory ID: DRUPAL-SA-CONTRIB-2012-103
• Project: Global Redirect (third-party module)
• Version: 6.x, 7.x
• Date: 2012-June-13
• Security risk: Less critical
• Exploitable from: Remote
• Vulnerability: Open Redirect

Description

This module improves SEO and usability of a site by redirecting visitors to user-friendly and search-engine-friendly URLs.

The module does not sufficiently validate that a destination URL is internal to the site, allowing an attacker to disguise a malicious destination address as a query parameter passed to a legitimate site URL.

This vulnerability is mitigated by the fact that a site must have the "non-clean to clean" redirect enabled; however, this is the default configuration.

CVE: CVE-2012-2732

Versions affected

• Global Redirect 6.x-1.x versions prior to 6.x-1.4.
• Global Redirect 7.x-1.x versions prior to 7.x-1.4.

Drupal core is not affected. If you do not use the contributed Global Redirect module, there is nothing you need to do.

Solution

Install the latest version:

• If you use the Global Redirect module for Drupal 6.x, upgrade to Global Redirect 6.x-1.4
• If you use the Global Redirect module for Drupal 7.x, upgrade to Global Redirect 7.x-1.4

Also see the Global Redirect project page.

Reported by

• Ben Johnson (benpjohnson)
• Justin Klein-Keane (Justin_KleinKeane)
• Joe Chambers (myrapunzeled)

Fixed by

• Nicholas Thompson the module maintainer
• Dave Reid of the Drupal Security Team

Coordinated by

• Greg Knaddison of the Drupal Security Team
• Dave Reid of the Drupal Security Team
• Michael Hess of the Drupal Security Team
• Dylan Tack of the Drupal Security Team
• David Rothstein of the Drupal Security Team

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.