User controllable cookie vulnerability

Created on 9 August 2024, 5 months ago
Updated 22 August 2024, 4 months ago

Problem/Motivation

Users can set an arbitrary value in the destination cookie.
https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/user-c...

Steps to reproduce

Add '?destination=r87.com/?foobar' to login url.
Login
Observer the cookie Drupal.visitor.destination is set to 'r87.com%2F%3Ffoobar'

Proposed resolution

Sanitize and/or validate the destination parameter before setting the cookie. If it is an external path it must be in trusted-host-patterns, otherwise it must be a valid internal path.

πŸ› Bug report
Status

Fixed

Version

5.1

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States bfuzze9898

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024