You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Konrad Windszus <ko...@gmx.de> on 2015/03/02 17:55:01 UTC
Redirect to arbitrary host via the Sling Post Servlet
Hi,
in https://issues.apache.org/jira/browse/SLING-3141 <https://issues.apache.org/jira/browse/SLING-3141> there was an issue fixed which made it possible to redirect from a Sling instance to another server with a forged GET-request (although there was a hop in the middle necessary which was the Login Form being provided by Sling).
Currently the Sling Post Servlet (https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305 <https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305>) does not validate the value being passed for parameter :redirect (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect <http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect>). Although I think it can only be exploited similarly to SLING-3141 in case there is vulnerability also in the script rendering the form, it should still not be allowed to pass arbitrary hosts IMHO. I think the same restrictions as for resources in the Sling Authenticators make sense here. For that we could leverage the method AuthUtil.isRedirectValid (https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451 <https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451>), although one probably needs to move that method somewhere else to prevent a direct dependency from Sling Servlets Post Bundle to the Sling Auth Core Bundle
WDYT?
In case you agree I would create a JIRA issue for that and try to come up with a fix.
Thanks,
Konrad
Re: Redirect to arbitrary host via the Sling Post Servlet
Posted by Konrad Windszus <ko...@gmx.de>.
Great, I provided a patch in https://issues.apache.org/jira/browse/SLING-4469 <https://issues.apache.org/jira/browse/SLING-4469>.
Would you mind having a look at that?
Thanks,
Konrad
> On 03 Mar 2015, at 08:01, Antonio Sanso <as...@adobe.com> wrote:
>
> hi Konrad
> On Mar 2, 2015, at 5:55 PM, Konrad Windszus <ko...@gmx.de> wrote:
>
>> Hi,
>>
>> in https://issues.apache.org/jira/browse/SLING-3141 <https://issues.apache.org/jira/browse/SLING-3141> there was an issue fixed which made it possible to redirect from a Sling instance to another server with a forged GET-request (although there was a hop in the middle necessary which was the Login Form being provided by Sling).
>>
>> Currently the Sling Post Servlet (https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305 <https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305>) does not validate the value being passed for parameter :redirect (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect <http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect>). Although I think it can only be exploited similarly to SLING-3141 in case there is vulnerability also in the script rendering the form, it should still not be allowed to pass arbitrary hosts IMHO. I think the same restrictions as for resources in the Sling Authenticators make sense here. For that we could leverage the method AuthUtil.isRedirectValid (https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451 <https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451>), although one probably needs to move that method somewhere else to prevent a direct dependency from Sling Servlets Post Bundle to the Sling Auth Core Bundle
>>
>> WDYT?
>>
>> In case you agree I would create a JIRA issue for that and try to come up with a fix.
>
> it sounds like a plan :)
>
> regards
>
> antonio
>
>> Thanks,
>> Konrad
>
Re: Redirect to arbitrary host via the Sling Post Servlet
Posted by Antonio Sanso <as...@adobe.com>.
hi Konrad
On Mar 2, 2015, at 5:55 PM, Konrad Windszus <ko...@gmx.de> wrote:
> Hi,
>
> in https://issues.apache.org/jira/browse/SLING-3141 <https://issues.apache.org/jira/browse/SLING-3141> there was an issue fixed which made it possible to redirect from a Sling instance to another server with a forged GET-request (although there was a hop in the middle necessary which was the Login Form being provided by Sling).
>
> Currently the Sling Post Servlet (https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305 <https://github.com/apache/sling/blob/trunk/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/impl/SlingPostServlet.java#L305>) does not validate the value being passed for parameter :redirect (http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect <http://sling.apache.org/documentation/bundles/manipulating-content-the-slingpostservlet-servlets-post.html#redirect>). Although I think it can only be exploited similarly to SLING-3141 in case there is vulnerability also in the script rendering the form, it should still not be allowed to pass arbitrary hosts IMHO. I think the same restrictions as for resources in the Sling Authenticators make sense here. For that we could leverage the method AuthUtil.isRedirectValid (https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451 <https://github.com/apache/sling/blob/trunk/bundles/auth/core/src/main/java/org/apache/sling/auth/core/AuthUtil.java#L451>), although one probably needs to move that method somewhere else to prevent a direct dependency from Sling Servlets Post Bundle to the Sling Auth Core Bundle
>
> WDYT?
>
> In case you agree I would create a JIRA issue for that and try to come up with a fix.
it sounds like a plan :)
regards
antonio
> Thanks,
> Konrad