Description

Drupal Core allows overriding the redirect target using the destination query parameter. This allows an attacker to redirect the user to an external domain. For example, the following URL: 

http://www.drupal.local//?destination=https://attacker.com\@www.drupal.local/
will redirect the user to the domain attacker.com.

Remediation

Upgrade to the latest version of Drupal.
Block requests with multiple forward slashes that contain an external domain in the destination parameter.

References

Practical Web Cache Poisoning

Related Vulnerabilities

Liferay Portal URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2022-28977)

WordPress Plugin Quick Page/Post Redirect Open Redirect (5.1.5)

WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.15)

WordPress Plugin Qode Instagram Widget (embeded in Bridge-Creative Multi-Purpose WordPress Theme) Open Redirect (2.0.1)

WordPress URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2018-10100)

Severity

Low

Classification

CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Url Redirection