Description

Drupal Core allows overriding the redirect target using the destination query parameter. This allows an attacker to redirect the user to an external domain. For example, the following URL: 

http://www.drupal.local//?destination=https://attacker.com\@www.drupal.local/
will redirect the user to the domain attacker.com.

Remediation

Upgrade to the latest version of Drupal.
Block requests with multiple forward slashes that contain an external domain in the destination parameter.

References

Practical Web Cache Poisoning

Related Vulnerabilities

WordPress Plugin Ultimate Member-User Profile, Registration, Login, Member Directory, Content Restriction & Membership Open Redirect (2.1.6)

WordPress Plugin WP Js External Link Info Open Redirect (1.21)

WordPress Plugin WPtouch 'wptouch_redirect' Parameter URI Redirection (1.9.32)

WordPress Plugin Quick Page/Post Redirect Open Redirect (5.1.5)

Ruby on Rails URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2021-22881)

Severity

Low

Classification

CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Url Redirection