Description

Drupal Core allows overriding the redirect target using the destination query parameter. This allows an attacker to redirect the user to an external domain. For example, the following URL: 

http://www.drupal.local//?destination=https://attacker.com\@www.drupal.local/
will redirect the user to the domain attacker.com.

Remediation

Upgrade to the latest version of Drupal.
Block requests with multiple forward slashes that contain an external domain in the destination parameter.

References

Practical Web Cache Poisoning

Related Vulnerabilities

Liferay Portal URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2023-35029)

WordPress Plugin WooCommerce Open Redirect (3.7.0)

Moodle URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2019-10133)

WordPress 4.6.x Multiple Vulnerabilities (4.6 - 4.6.18)

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.33)

Severity

Low

Classification

CWE-601 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Url Redirection