Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Open redirect vulnerability on my 2.1.11 site, but not here?
almostbasic
New
I had a user report an open redirect vulnerability on our site with a URL like this:
/activity/post/24003?Target=http://example.com
On my site, for a logged in user, that will redirect them to "example.com" with no warning.
On my development server:
Updated to version 2.1.11
all plugins disabled
Baseline theme enabled
and this redirect works, but if I try that here, it just goes to vanillaforums.org/activity
Any idea why that would happen on my site with no plugins and the baseline theme? Any idea how to prevent that?
Thanks in advance for the help!
0
Comments
They introduced a function called
isSafeUrl()in 2.2 that makes sure the redirect domain matches the request host.The version of Vanilla here 2.2.100.3 which is considered alpha for self hosting.
If you want to "patch" this now, I would suggest defining a custom
Redirectfunction in your/conf/bootstrap.early.phpfile:if (!function_exists('Redirect')) { function Redirect($Destination = FALSE, $StatusCode = NULL) { $ParsedUrl = parse_url($Destination); if (!$Destination || $ParsedUrl === FALSE || $ParsedUrl['host'] != Gdn::Request()->Host()) { $Destination = Url(''); } // Close any db connections before exit $Database = Gdn::Database(); $Database->CloseConnection(); // Clear out any previously sent content @ob_end_clean(); // assign status code $SendCode = (is_null($StatusCode)) ? 302 : $StatusCode; // re-assign the location header header("Location: ".Url($Destination), TRUE, $SendCode); // Exit exit(); } }Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Thanks for the help - bootstrap.early.php didn't do it, but bootstrap.before.php did - is there any issues with that setup?
Thanks again!
Just noticed it redirects to:
/forum/forum/activity/post/24003?Target=http%3A%2F%2Fexample.com
(it doubles the /forum folder)
Any idea how to get it to redirect back to the activity page like on this forum?
Or even if it just 404'd like now, but without doubling the forum folder in the url.
Thanks again for all of your help!
@hgtonight - Any ideas on how to get this to redirect without doubling the /forum/ folder? I'll buy you a beer or a really fancy coffee
Bump! Any ideas?
I think forcing an absolute url would work best.:
if (!function_exists('Redirect')) { function Redirect($Destination = FALSE, $StatusCode = NULL) { $ParsedUrl = parse_url($Destination); if (!$Destination || $ParsedUrl === FALSE || $ParsedUrl['host'] != Gdn::Request()->Host()) { $Destination = Url('', true); } // Close any db connections before exit $Database = Gdn::Database(); $Database->CloseConnection(); // Clear out any previously sent content @ob_end_clean(); // assign status code $SendCode = (is_null($StatusCode)) ? 302 : $StatusCode; // re-assign the location header header("Location: ".Url($Destination, true), TRUE, $SendCode); // Exit exit(); } }Search first
Check out the Documentation! We are always looking for new content and pull requests.
Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.
Putting the main activity page in as the destination URL worked flawlessly. Thanks for the help!
Minor update in case anyone else tries to do this:
I noticed that these URL's would cause a redirect loop for guests, so I changed the:
$Destination = Url('', true);line to the forum root like:
$Destination = Url('http://www.mydomain.com/forum/', true);This works well for guests and members alike.
Thanks again for the help @hgtonight !