User controllable cookie vulnerability

Created on 9 August 2024, 3 months ago

Updated 22 August 2024, 3 months ago

Problem/Motivation

Users can set an arbitrary value in the destination cookie.
https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/user-c...

Steps to reproduce

Add '?destination=r87.com/?foobar' to login url.
Login
Observer the cookie Drupal.visitor.destination is set to 'r87.com%2F%3Ffoobar'

Proposed resolution

Sanitize and/or validate the destination parameter before setting the cookie. If it is an external path it must be in trusted-host-patterns, otherwise it must be a valid internal path.

🐛 Bug report

Status

Fixed

Version

5.1

Component

Code

Created by

🇺🇸United States bfuzze9898

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @bfuzze9898
Comment 3 months ago →
shashank_thigale
Hello @bfuzze9898, thank you for pointing out the issue. We have fixed it in the latest version of the module - 5.1.6
Comment 3 months ago →
shashank_thigale
Status changed to Fixed 3 months ago5:00am 22 August 2024
Comment 3 months ago →
shashank_thigale

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024