My site was flagged during daily security scans as allowing an open URL redirect. I've found this issue relates to the Secure Login module. When it is enabled, open redirects are allowed; when disabled a 404 error is shown as expected.

Steps to repeat the issue:

1. Install Secure Login on site
2. Go to http://example.com/?q=http://google.com
3. You will be taken to Google (BAD!)

This is a potentially major security hole, especially for sites needing to conform to McAfee Secure PCI compliance.

Files: 

Comments

Ignigena’s picture

Status:Active» Needs review
StatusFileSize
new568 bytes

Patch attached. Issue was located in the securelogin_secure_redirect() function where no verification was done on $_GET['q'] to make sure it was redirecting to the same domain.

I added simple host match verifying on $_GET['q'] to ensure the redirection is done on the same host as the Drupal base_url.

After this patch is added open redirects are no longer an issue and instead show a 404 error as expected.

Don't use this patch ... I made a dumb mistake and forgot a in important piece of code ... see the patch in the next comment.

Ignigena’s picture

StatusFileSize
new584 bytes

Made a dumb mistake and neglected to include an important piece of code in the patch. See the updated and fixed patch below.

greggles’s picture

Status:Needs review» Closed (fixed)

@Ignigena - in the future please be sure to report security issues following the process at http://drupal.org/node/101494

This is fixed with http://drupal.org/node/1700594