Arbitrary URL redirection vulnerability

Question

Arbitrary URL redirection vulnerability

unam4 opened this issue 2 years ago · 3 comments

这是英文的漏洞报告，中文的在(This is the English report, the Chinese report is 任意url跳转

Description

@RequestMapping(value = "index") When logging in, there is no restriction on __url, resulting in a jump to the forged page after successful login.

Vulnerability details

After receiving the request, the interface gets the address of __url.

com.jeesite.modules.sys.web#index()

Get the value of __url in the request, if the authentication is successful, jump to the constructed url.

TEST

url:*****/js/a/login?__url=http://baidu.com/

LOCAL TEST：http://localhost:8980/js/a/login?__url=http://baidu.com/

The package successfully jumps to the constructed url

Answer 1 · 2022-12-06T00:12:22.000Z

你好，邮件已经收到。非常感谢！

Answer 2 · 2022-12-06T00:12:30.000Z

你的邮件我已经收到

Answer 3 · 2022-12-15T15:04:35.000Z

解决方案：

// ...
		String successUrl = request.getParameter("__url");
		if (StringUtils.isBlank(successUrl)){
			successUrl = (String)request.getAttribute("__url");
		}
// 增加代码：
		if (StringUtils.contains(successUrl, "://")){
			String domain = getRequestDomain(successUrl);
			successUrl = StringUtils.substring(successUrl, domain.length());
			if (StringUtils.startsWith(successUrl, request.getContextPath())) {
				successUrl = StringUtils.substringAfter(successUrl, request.getContextPath());
			}
		}
// ...

// 增加方法：
	private String getRequestDomain(String url) {
		String scheme = StringUtils.substringBefore(url, "://");
		String domain = StringUtils.substringAfter(url, "://");
		if (StringUtils.contains(domain, "/")) {
			domain = StringUtils.substringBefore(domain, "/");
		}
		return scheme + "://" + domain;
	}