You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by Konrad Windszus <ko...@gmx.de> on 2015/03/02 17:55:01 UTC

Redirect to arbitrary host via the Sling Post Servlet

Hi,

in https://issues.apache.org/jira/browse/SLING-3141 <https://issues.apache.org/jira/browse/SLING-3141> there was an issue fixed which made it possible to redirect from a Sling instance to another server with a forged GET-request (although there was a hop in the middle necessary which was the Login Form being provided by Sling).

Currently the Sling Post Servlet (https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305 <https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305>) does not validate the value being passed for parameter :redirect (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect <http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect>). Although I think it can only be exploited similarly to SLING-3141 in case there is vulnerability also in the script rendering the form, it should still not be allowed to pass arbitrary hosts IMHO. I think the same restrictions as for resources in the Sling Authenticators make sense here. For that we could leverage the method AuthUtil.isRedirectValid (https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451 <https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451>), although one probably needs to move that method somewhere else to prevent a direct dependency from Sling Servlets Post Bundle to the Sling Auth Core Bundle 

WDYT?

In case you agree I would create a JIRA issue for that and try to come up with a fix.
Thanks,
Konrad

Re: Redirect to arbitrary host via the Sling Post Servlet

Posted by Konrad Windszus <ko...@gmx.de>.

Great, I provided a patch in https://issues.apache.org/jira/browse/SLING-4469 <https://issues.apache.org/jira/browse/SLING-4469>.
Would you mind having a look at that?
Thanks,
Konrad

> On 03 Mar 2015, at 08:01, Antonio Sanso <as...@adobe.com> wrote:
> 
> hi Konrad
> On Mar 2, 2015, at 5:55 PM, Konrad Windszus <ko...@gmx.de> wrote:
> 
>> Hi,
>> 
>> in https://issues.apache.org/jira/browse/SLING-3141 <https://issues.apache.org/jira/browse/SLING-3141> there was an issue fixed which made it possible to redirect from a Sling instance to another server with a forged GET-request (although there was a hop in the middle necessary which was the Login Form being provided by Sling).
>> 
>> Currently the Sling Post Servlet (https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305 <https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305>) does not validate the value being passed for parameter :redirect (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect <http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect>). Although I think it can only be exploited similarly to SLING-3141 in case there is vulnerability also in the script rendering the form, it should still not be allowed to pass arbitrary hosts IMHO. I think the same restrictions as for resources in the Sling Authenticators make sense here. For that we could leverage the method AuthUtil.isRedirectValid (https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451 <https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451>), although one probably needs to move that method somewhere else to prevent a direct dependency from Sling Servlets Post Bundle to the Sling Auth Core Bundle 
>> 
>> WDYT?
>> 
>> In case you agree I would create a JIRA issue for that and try to come up with a fix.
> 
> it sounds like a plan :)
> 
> regards
> 
> antonio
> 
>> Thanks,
>> Konrad
>

Re: Redirect to arbitrary host via the Sling Post Servlet

Posted by Antonio Sanso <as...@adobe.com>.

hi Konrad
On Mar 2, 2015, at 5:55 PM, Konrad Windszus <ko...@gmx.de> wrote:

> Hi,
> 
> in https://issues.apache.org/jira/browse/SLING-3141 <https://issues.apache.org/jira/browse/SLING-3141> there was an issue fixed which made it possible to redirect from a Sling instance to another server with a forged GET-request (although there was a hop in the middle necessary which was the Login Form being provided by Sling).
> 
> Currently the Sling Post Servlet (https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305 <https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305>) does not validate the value being passed for parameter :redirect (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect <http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect>). Although I think it can only be exploited similarly to SLING-3141 in case there is vulnerability also in the script rendering the form, it should still not be allowed to pass arbitrary hosts IMHO. I think the same restrictions as for resources in the Sling Authenticators make sense here. For that we could leverage the method AuthUtil.isRedirectValid (https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451 <https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451>), although one probably needs to move that method somewhere else to prevent a direct dependency from Sling Servlets Post Bundle to the Sling Auth Core Bundle 
> 
> WDYT?
> 
> In case you agree I would create a JIRA issue for that and try to come up with a fix.

it sounds like a plan :)

regards

antonio

> Thanks,
> Konrad