Potential security issue with next parameter

[cschwarz007]

Hi Jonathan,

We have deployed DocAssemble in a productive environment - thank you so much for this extremely useful tool. My IT colleagues however have some concerns regarding the following issue - anything that can be done about that?

Summary of the issue There is an open redirect on the ?next parameter

Steps to reproduce

1. Just click the link and you will be redirected.
2. https://someurl.com/user/sign-out?next=https://someurl.com.evil.com https://someurl.com/user/sign-out?next=https://google.com

Impact statement Open redirects can be used for authentic phishing scenarios. Please find more information on how to fix this vulnerability here: https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

[jhpyle]

Thanks! I have a fix for this that will be in the next version.

[cschwarz007]

Hi Jonathan. I skimmed through the changelogs of the 1.3.X releases but did not find anything about this topic. Has it been included in one of the versions so far and if so, in which one?

[jhpyle]

Yes, I implemented this in 606a52142c0fc04a383b463859fce43d1dc0ae2b (the start of the 1.3.x). I only limited redirects partially; if the user is actually logged in, the redirects will still go to the external URL. This is so that developers can include links in interviews made with url_of('logout') with a next parameter for logging the user out and going to an external site. Even this is probably not good, though, so I am thinking about ways to implement that differently.

[jhpyle]

After my January 20 comment I made further changes to increase security around next parameters so it is better now. Thanks for this issue!