Description

Drupal Core allows overriding the redirect target using the destination query parameter. This allows an attacker to redirect the user to an external domain. For example, the following URL: 

http://www.drupal.local//?destination=https://attacker.com\@www.drupal.local/
will redirect the user to the domain attacker.com.

Remediation

Upgrade to the latest version of Drupal.
Block requests with multiple forward slashes that contain an external domain in the destination parameter.

References

Practical Web Cache Poisoning

Related Vulnerabilities

Next.js URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2020-15242)

WordPress Plugin Ad-Manager Open Redirect (1.1.2)

PrestaShop URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2020-5270)

WordPress Plugin Newsletter Open Redirect (3.7.0)

WordPress Plugin WPtouch Open Redirect (3.4.9)

Severity

Low

Classification

CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Url Redirection