The URL that redirects to the other domain (and creates the secret in the table) can be called by anyone, for anyone. (The basic principle of CSRF: anyone can call URLs as you.) Meaning, I could make you log in on another domain. There's no real security flaw (I think), but it is dubious.

Fix is easy: add a token to the first URL. If the token is missing/invalid, it won't create a secret and it won't redirect to the other domain.

Domain Menu does this for its Flush Cache links. If it didn't, anyone could 'make' anyone flush their caches, and that's annoying =)

Comments

rudiedirkx created an issue. See original summary.

  • SpadXIII committed 80fdf11 on 7.x-1.x 
    Issue #2618174: Add token to redirect URL
spadxiii’s picture

spadxiii commented
Status: Active » Fixed

Added a hook_url_outbound_alter() to add a token to the urls and check for token in page-callback.

rudiedirkx’s picture

rudiedirkx commented

Excellent!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.