Description

Drupal Core allows overriding the redirect target using the destination query parameter. This allows an attacker to redirect the user to an external domain. For example, the following URL: 

http://www.drupal.local//?destination=https://attacker.com\@www.drupal.local/
will redirect the user to the domain attacker.com.

Remediation

Upgrade to the latest version of Drupal.
Block requests with multiple forward slashes that contain an external domain in the destination parameter.

References

Practical Web Cache Poisoning

Related Vulnerabilities

WordPress Plugin Daily Inspiration Generator Open Redirect (2.0)

XWiki URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2023-29204)

WordPress 4.0.x Multiple Vulnerabilities (4.0 - 4.0.26)

WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.24)

WordPress Plugin All-In-One Security (AIOS)-Security and Firewall Open Redirect (4.4.1)

Severity

Low

Classification

CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Url Redirection