It seems the ability to forward a user to a page outside the organitation when performing authentication. This is due to incorrect data validation entry. A potential attacker could use this vulnerability to perform redirects customized without user intervention and thus modified redirect to another page. of This enables you to perform other types of attacks, such as data theft user or session.
In tests carried out in our development servers has been detected in one of the server requests that are made
during the authentication process in the application, there is a parameter "source" in which includes a return address that can be manipulated.
How can we correct this vulnerability?
Thanks!!
Security error
Moderators: jmacgreg, michael, jheckman, barbarah, btbell, bdgregg, asmecher
Forum rules
What to do if you have a technical problem with OJS:
1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.
2. Check the FAQ to see if your question or error has already been resolved.
3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.
What to do if you have a technical problem with OJS:
1. Search the forum. You can do this from the Advanced Search Page or from our Google Custom Search, which will search the entire PKP site. If you are encountering an error, we especially recommend searching the forum for said error.
2. Check the FAQ to see if your question or error has already been resolved.
3. Post a question, but please, only after trying the above two solutions. If it's a workflow or usability question you should probably post to the OJS Editorial Support and Discussion subforum; if you have a development question, try the OJS Development subforum.
4 posts
• Page 1 of 1
Security error
by rramos » Tue Oct 09, 2012 12:31 am
- rramos
- Posts: 8
- Joined: Thu Sep 13, 2012 11:35 pm
Re: Security error
by JasonNugent » Wed Oct 10, 2012 6:31 am
Hi rramos,
You're correct, the redirection that occurs after login should be sanitized to ensure that it is to a page within OJS. However, the risk in the current situation is quite low -- someone wishing to redirect you to a page of their choosing would need to a) know that you had an account within an OJS installation or an active session, and b) convince you somehow to follow their crafted link.
I have filed this as a bug at http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=7959 if you wish to add yourself to the CC list in order to be notified when it is fixed.
Regards,
Jason
You're correct, the redirection that occurs after login should be sanitized to ensure that it is to a page within OJS. However, the risk in the current situation is quite low -- someone wishing to redirect you to a page of their choosing would need to a) know that you had an account within an OJS installation or an active session, and b) convince you somehow to follow their crafted link.
I have filed this as a bug at http://pkp.sfu.ca/bugzilla/show_bug.cgi?id=7959 if you wish to add yourself to the CC list in order to be notified when it is fixed.
Regards,
Jason
Software Developer, Public Knowledge Project
- JasonNugent
- Posts: 489
- Joined: Tue Jan 10, 2006 6:20 am
Re: Security error
by rramos » Fri Nov 09, 2012 1:27 am
If anyone is interested I modified the code:
lib/pkp/pages/login/PKPLoginHandler.inc.php
In this file I created a small patch:
and in this other function called my function:
It's silly but it works
GREETINGS!!
lib/pkp/pages/login/PKPLoginHandler.inc.php
In this file I created a small patch:
- Code: Select all
function antiXSS(&$source) {
$str = strpos($source,'/');
if($str == 0 ) {
$source="";
}
}
and in this other function called my function:
- Code: Select all
function signIn() {
$this->validate();
$this->setupTemplate();
if (Validation::isLoggedIn()) {
PKPRequest::redirect(null, 'user');
}
if (Config::getVar('security', 'force_login_ssl') && Request::getProtocol() != 'https') {
// Force SSL connections for login
PKPRequest::redirectSSL();
}
$user = Validation::login(Request::getUserVar('username'), Request::getUserVar('password'), $reason, Request::getUserVar('remember') == null ? false : true);
if ($user !== false) {
if ($user->getMustChangePassword()) {
// User must change their password in order to log in
Validation::logout();
PKPRequest::redirect(null, null, 'changePassword', $user->getUsername());
} else {
$source = Request::getUserVar('source');
$this->antiXSS($source); // MY FUNCTION
It's silly but it works
GREETINGS!!
- rramos
- Posts: 8
- Joined: Thu Sep 13, 2012 11:35 pm
4 posts
• Page 1 of 1
Return to OJS Technical Support
Who is online
Users browsing this forum: Google [Bot], gustavotonini and 3 guests