Bug 550366

Summary: don't use redirect based on user input
Product: [openSUSE] openSUSE 11.2 Reporter: Josef Reidinger <jreidinger>
Component: WebYaSTAssignee: Klaus Kämpf <kkaempf>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P4 - Low    
Version: Factory   
Target Milestone: Future 11.3   
Hardware: Other   
OS: Other   
Whiteboard: security
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 514382    

Description Josef Reidinger 2009-10-27 11:46:30 UTC 
redirection with user input (risk: medium-HIGH, CWE-601, CWE-79): Some HTTP redirects seem to be
called with user-defined input like redirect_to(webservices_url) in webservices_controller.rb or
redirect_to new_session_path(:hostname => params[:hostname]) in session_controller.rb. This can ease
phishing attacks and can be used for cross-site scripting attacks (depending on the web-browser).
Solution: Sanatize the link for redirection and do not allow the coresponding Ruby methods to be called
directly (this seems to be already avoided by the csrf_token and auth_token but was not verified).
Comment 1 Klaus Kämpf 2009-11-02 09:26:43 UTC 
Not relevant for appliance release, host is fixed to 'localhost'
Comment 2 Klaus Kämpf 2009-11-17 13:20:52 UTC 
Same as #550364, multi-host is a feature

*** This bug has been marked as a duplicate of bug 550364 ***