06547: Arbitrary URL redirect - parameter "redirect" - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

256

ID	Project	Category	View Status	Date Submitted	Last Update

06547	Bug reports	Security	public	2012-09-04 19:07	2012-09-20 14:12

Reporter	~~user21570~~	Assigned To	c_schmitz
Priority	normal	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	1.92+
Fixed in Version	1.92+

Summary	06547: Arbitrary URL redirect - parameter "redirect"
Description	The session clearance routine "clearall" doesn't check the destination URL before issuing a HTTP redirect. poc @ github: https://gist.github.com/3623557
Steps To Reproduce	1) Navigate to a survey (e.g. https://limesurvey/index.php?sid=51928) 2) https://limesurvey/index.php?sid=51928&move=clearall&lang=de&redirect=http://www.google.de
Additional Information	Discovered by Markus Piéton (it.sec GmbH & Co. KG)
Tags	No tags attached.
Attached Files	url-redirect.pdf (347,303 bytes)

Bug heat	256
Complete LimeSurvey version number (& build)	120822
I will donate to the project if issue is resolved	No
Browser
Database type & version	MySQL
Server OS (if known)	Linux
Webserver software & version (if known)	Apache
PHP Version	PHP

User List	c_schmitz

Mazi 2012-09-06 15:23 updater ~20633	Hi Jason, I'm assigning some bug reports about some possible vulnerabilities to you because Carsten is on Holiday and will not return before Saturday (and will probably need 3-4 days to clean up his email inbox). Maybe you can have a look and fix it or add a comment and assign it to Carsten if he should have a look later.

c_schmitz 2012-09-13 14:45 administrator ~20675	Fix committed to Yii branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=9488

c_schmitz 2012-09-13 14:46 administrator ~20676	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=9489

LimeSurvey: Yii 806c96cd 2012-09-13 07:45 c_schmitz Details Diff	Fixed issue 06547: Arbitrary URL redirect - parameter "redirect"	Affected Issues 06547
	mod - application/controllers/survey/index.php	Diff File
LimeSurvey: master ecf1e594 2012-09-13 07:45 c_schmitz Details Diff	Fixed issue 06547: Arbitrary URL redirect - parameter "redirect"	Affected Issues 06547
	mod - index.php	Diff File

Date Modified	Username	Field	Change
2012-09-04 19:07	~~user21570~~	New Issue
2012-09-04 19:07	~~user21570~~	File Added: url-redirect.pdf
2012-09-06 15:23	Mazi	Assigned To	=> jcleeland
2012-09-06 15:23	Mazi	Status	new => assigned
2012-09-06 15:23	Mazi	Issue Monitored: c_schmitz
2012-09-06 15:23	Mazi	Note Added: 20633
2012-09-08 02:49	jcleeland	Assigned To	jcleeland => c_schmitz
2012-09-13 14:45	c_schmitz	Changeset attached	=> LimeSurvey Yii 806c96cd
2012-09-13 14:45	c_schmitz	Note Added: 20675
2012-09-13 14:45	c_schmitz	Resolution	open => fixed
2012-09-13 14:45	c_schmitz	Status	assigned => resolved
2012-09-13 14:45	c_schmitz	Fixed in Version	=> 1.92+
2012-09-13 14:46	c_schmitz	Changeset attached	=> LimeSurvey master ecf1e594
2012-09-13 14:46	c_schmitz	Note Added: 20676
2012-09-20 14:12	c_schmitz	Status	resolved => closed
2021-08-02 17:20	guest	Bug heat	254 => 256