Description
Disclaimer
This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.
Description
The Graphite v1.1.10 monitoring and graphing tool contains an open redirect vulnerability in its account logout functionality. The logout view accepts a nextPage parameter via GET request that is used directly in an HttpResponseRedirect without any validation of the destination URL. This allows an attacker to craft a URL that will redirect users to arbitrary external domains.
The vulnerability exists in the logoutView function within account/views.py. The function retrieves the nextPage parameter from the request's GET parameters and passes it directly to HttpResponseRedirect without performing any validation or sanitization of the URL:
def logoutView(request):
nextPage = request.GET.get('nextPage', reverse('browser'))
logout(request)
return HttpResponseRedirect(nextPage)
This lack of validation allows an attacker to specify any external URL as the nextPage parameter, causing the application to redirect users to potentially malicious sites. This could be exploited in phishing attacks or used to redirect users to malicious sites while maintaining the appearance of legitimacy since the redirect originates from the trusted Graphite domain.
Steps to reproduce
Access the Graphite application's logout endpoint with a malicious nextPage parameter:
GET /account/logout?nextPage=http://evil.example.com HTTP/1.1
Host: graphite-server
The application will process the logout request and redirect the user to the specified external domain.
After following these steps, any user clicking on or being directed to this crafted URL will be automatically redirected to the attacker-specified domain after their session is logged out. This occurs without any warning to the user about leaving the trusted domain.
Mitigations
- Implement proper URL validation that only allows redirects to trusted domains or relative paths within the application.
- Use a whitelist of allowed redirect destinations rather than accepting arbitrary URLs.
- Consider implementing URL signing for redirect parameters to ensure they haven't been tampered with.
- If external redirects are necessary, implement a warning page that informs users they are leaving the trusted domain.
Impact
The vulnerability requires no authentication and can be exploited by simply crafting a malicious URL. While it doesn't directly expose sensitive data and could be considered as a low severity issue, it can be used in phishing attacks or to redirect users to malicious sites. The attack vector is simple to exploit and could be used in combination with social engineering to increase its effectiveness.
Disclosure Policy
This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.