SilverStripe: XSS in Redirection URL

SilverStripe adivsory identifier: SS-2014-006
Versions Affected: 3.0.9, 3.1.3, and all previous versions.
Notified on: 2014-02-28

Attack Details

By crafting the value passed into Controller->redirect(), usually by setting the redirectURL GET parameter on a page which calls Controller->redirectBack() and if the page being requested has sent output to the browser before the redirect call then the value passed is directly outputted to the browser, allowing for XSS.

If the server has a large enough output buffer that the headers have not been sent to the browser by the time the redirect call is made, then this attack will not work.

Performing the Attack

The URL to use with this attack is dev/build as it both outputs directly to the browser before the redirect call and calls redirectBack(). This behaviour is only used when a redirect URL is provided and does require the site to either be in dev mode or for the targeted user to have ADMIN privileges on the site.

For example, a potential attack URL would look like http://site.com/dev/build?returnURL=/"><h1>Hacked!</h1><!--.

PayPal: simon@simon.geek.nz

 

Leave a Reply