SS-2014-006: XSS in returnURL redirection

Severity:
Low (?)
Identifier:
 
SS-2014-006
Versions Affected:
 
3.0.9, 3.1.3, and all versions before
Versions Fixed:
 
3.0.10, 3.1.4
Release Date:
 
2014-04-01

If an attacker can set the URL passed to Controller->redirect() and output is sent to the browser before the redirect can occur, the URL may be outputted directly to the browser.

This can potentially be exploited through dev/build, i.e. http://site.com/dev/build?returnURL=/"><h1>Hacked!</h1><!--

If the response is buffered enough that output hasn’t been sent to the browser yet this particular attack vector isn’t available on a stock install, but others may be and it may still be available in customised installs.

The fix is to escape the URL before displaying it to the user.

Download Patch for 3.1 | Download Patch for 3.0

Thanks to Simon Welsh for reporting and providing a patch.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.