Opened 11 months ago
Closed 11 months ago
#34668 closed Bug (invalid)
Unvalidated Redirect from "PATH_INFO" URI Parameter on "/admin/auth/group/{n}/change/" page.
| Reported by: | Gilson | Owned by: | nobody |
|---|---|---|---|
| Component: | Uncategorized | Version: | 4.0 |
| Severity: | Normal | Keywords: | Contrast, Security |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
This problem is being reported by Contrast Security running against an application running Django 4.0.7 (Python 3.9)
What happened?
We tracked the following data from "PATH_INFO" URI Parameter:
POST /admin/auth/group/1/change/ csrfmiddlewaretoken=8XVqoUhd1vsQJOkHv3YUCIOg9ijWYTIInQkcPY155vcPDjgLn8O45v7B1T1Qp1hB&name=test&permissions=17&permissions=18&permissions=19&permissions=20&permissions=25&permissions=26&permissions=27&permissions=28&permissions=21&permissions=22&permissions=23&permissions=24&permissions=29&permissions=30&permissions=31&permissions=32&permissions=1&permissions=2&permissions=3&permissions=4&permissions=5&permissions=6&permissions=7&permissions=8&permissions=37&permissions=38&permissions=39&permissions=40&permissions=41&permissions=42&permissions=43&permissions=44&permissions=33&permissions=34&permissions=35&permissions=36&permissions=9&permissions=10&permissions=11&permissions=12&permissions=13&permissions=14&permissions=15&permissions=16&_continue=Save+and+continue+editing
...which was accessed within the following code:
Unknown (Your agent is not configured to collect stack traces) ...and ended up being used to redirect the user's browser to: /admin/auth/group/1/change/
What's the risk?
As shown, the target of that redirect is pulled from data controlled by the user. This means it's possible an attacker can send a user a link that initially goes to your site, but immediately directs to a site they control. This could be used to greatly increase the likelihood of success of a phishing campaign.
On the how to fix tab, Contrast reported the following:
Right now, there appears to be a function in your application that works something like this:
http://yoursite.com/path?url=http://partner.com/
As discussed in the summary, this can be used to lend credibility to phishing attacks, cause embarrassing links to circulate, or even introduce XSS, depending on the circumstances (like if the victim's browser supports redirecting to the data:/javascript: protocols. There are a few good ways to address this issue:
- Use maps to filter out invalid values. Instead of accepting input like url=string, accept partner=int. That int can be a key in a Map that points to an allowed value. If the map has no corresponding value for the key given, then throw an error.
- Strongly validate the URL. Ensure that the targeted URL belongs to an expected destination. Many naive implementations will do something similar to this unsafe pattern:
if url.startswith('http://expected-domain.com'):
redirect(url)
An attacker can create their own subdomain at expected-domain.com.attacker-website-here and pass the validation. A stronger validation would be to create a urllib.parse.ParseResult object using urllib.parse.urlparse (just urlparse.urlparse in Python 2.7) of the given String, and validate that the URL's netloc property returns exactly what's expected:
parsed = urllib.parse.urlparse(url) # urlparse.urlparse(url) in Python 2.7
if parsed.netloc == 'expected-domain.com':
redirect(url)
Change History (1)
comment:1 by , 11 months ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
| Summary: | Unvalidated Redirect from "PATH_INFO" URI Parameter on "/admin/auth/group/{n}/change/" page (Contrast ID H1IN-BYU5-LGUM-6Z76) → Unvalidated Redirect from "PATH_INFO" URI Parameter on "/admin/auth/group/{n}/change/" page. |
Please don't copy security reports related with your own sites to the Django bugtracker. You can use one of support channels if you're having trouble understanding them or how Django works.