SilverStripe adivsory identifier: SS-2014-006
Versions Affected: 3.0.9, 3.1.3, and all previous versions.
Notified on: 2014-02-28
By crafting the value passed into
Controller->redirect(), usually by setting the
redirectURL GET parameter on a page which calls
Controller->redirectBack() and if the page being requested has sent output to the browser before the
redirect call then the value passed is directly outputted to the browser, allowing for XSS.
If the server has a large enough output buffer that the headers have not been sent to the browser by the time the
redirect call is made, then this attack will not work.
Performing the Attack
The URL to use with this attack is
dev/build as it both outputs directly to the browser before the
redirect call and calls
redirectBack(). This behaviour is only used when a redirect URL is provided and does require the site to either be in dev mode or for the targeted user to have ADMIN privileges on the site.
For example, a potential attack URL would look like