SS-2014-006: XSS in returnURL redirection
- Low (?)
- Versions Affected:
- 3.0.9, 3.1.3, and all versions before
- Versions Fixed:
- 3.0.10, 3.1.4
- Release Date:
If an attacker can set the URL passed to Controller->redirect() and output is sent to the browser before the redirect can occur, the URL may be outputted directly to the browser.
This can potentially be exploited through dev/build, i.e. http://site.com/dev/build?returnURL=/"><h1>Hacked!</h1><!--
If the response is buffered enough that output hasn’t been sent to the browser yet this particular attack vector isn’t available on a stock install, but others may be and it may still be available in customised installs.
The fix is to escape the URL before displaying it to the user.
Thanks to Simon Welsh for reporting and providing a patch.