Drupal Global Redirect 6.x-1.2 Arbitrary Redirection

30 November -0001

Update:

It has been pointed out to me that this vulnerability was discovered and disclosed a month ago at http://drupal.org/node/768244! Apologies for the confusion. I fucked up by not searching Drupal.org for evidence of the issue before reporting it! Completely my bad. Facepalm moment ensues for duration.

To be completely clear, Drupal security was not involved in the prior disclosure, it was made by folks associated with the module.

CVE

CVE-2010-2021

Description of Vulnerability:

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Global Redirect module (http://drupal.org/project/globalredirect) is designed to address issues with path aliases in Drupal that could result in user confusion or search engine sandboxing. Unfortunately the Global Redirect does not perform adequate input checking.

Severity:

Critical

Systems affected:

Drupal 6.16 with Global Redirect 6.x-1.2 was tested and shown to be vulnerable.

Impact

Attackers can provide links to target site that actually redirect users to third party sites. Such tactics are common in phishing and other trust exploitation attacks. For instance, attackers could provide a link to a legitimate site in an e-mail that when clicked on would take the user to an untrusted third party site. For more information on open redirect vulnerabilities see CWE-601: URL Redirection to Untrusted Site ('Open Redirect').

Mitigating factors:

The Drupal Global Redirect module must be installed and enabled. In order to execute the proof of concept described below the attacker must trick a user into clicking on a link with malicious parameters.

Proof of Concept:

Attackers need only provide a link to the target site appended with /index.php?q=[target_url]. For instance, if the site in question were http://172.16.46.129/drupal-6.16, the following link would redirect the user to the Google.com homepage:

http://172.16.46.129/drupal-6.16/index.php?q=http://www.google.com

Technical Discussion:

The drupal_goto function (http://api.drupal.org/api/function/drupal_goto) normally restricts redirects to local links utilizing a check on lines 323-327 in includes/common.inc. However, the Global Redirect module does not perform any such checking. If a redirect request is detected in the form of a URL get parameter of 'q' when calling the index page the Global Redirect module forwards the request to the parameter value.

Patch:

Applying the following patch mitigates this vulnerability:

--- globalredirect/globalredirect.module        2008-12-22 05:34:32.000000000 -0500
+++ globalredirect.fixed/globalredirect.module  2010-05-21 15:26:08.497695637 -0400
@@ -146,7 +146,12 @@ function globalredirect_init() {
     if ($_REQUEST['q'] != $prefix . $alias) {
       // If it's not just a slash or user has deslash on, redirect
       if (str_replace($prefix . $alias, '', $_REQUEST['q']) != '/' || $redirect_slash) {
-        drupal_goto($alias, $query_string, NULL, 301);
+        // Do not redirect to an absolute URL originating from user input.
+               $colonpos = strpos($alias, ':');
+               $absolute = ($colonpos !== FALSE && !preg_match('![/?#]!', substr($alias, 0, $colonpos)));
+               if (!$absolute) {
+                       drupal_goto($alias, $query_string, NULL, 301);
+               }
       }
     }