CVE-2017-1000481 Information
Description
When you visit a page where you need to login Plone 2.5-5.1rc1 sends you to the login form with a ‘came_from’ parameter set to the previous url. After you login you get redirected to the page you tried to view before. An attacker might try to abuse this by letting you click on a specially crafted link. You would login and get redirected to the site of the attacker letting you think that you are still on the original Plone site. Or some javascript of the attacker could be executed. Most of these types of attacks are already blocked by Plone using the isURLInPortal check to make sure we only redirect to a page on the same Plone site. But a few more ways of tricking Plone into accepting a malicious link were discovered and fixed with this hotfix.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reference
https://plone.org/security/hotfix/20171128/open-redirection-on-login-form
When
you
visit
a
page
where
you
need
to
login
Plone
2.5-5.1rc1
sends
you
to
the
login
form
with
a
‘came_from’
parameter
set
to
the
previous
url.
After
you
login
you
get
redirected
to
the
page
you
tried
to
view
before.
An
attacker
might
try
to
abuse
this
by
letting
you
click
on
a
specially
crafted
link.
You
would
login
and
get
redirected
to
the
site
of
the
attacker
letting
you
think
that
you
are
still
on
the
original
Plone
site.
Or
some
javascript
of
the
attacker
could
be
executed.
Most
of
these
types
of
attacks
are
already
blocked
by
Plone
using
the
isURLInPortal
check
to
make
sure
we
only
redirect
to
a
page
on
the
same
Plone
site.
But
a
few
more
ways
of
tricking
Plone
into
accepting
a
malicious
link
were
discovered
and
fixed
with
this
hotfix.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
CHANGED
Integrity Impact
LOW
Availability Impact
LOW
Base Score
NONE
Base Severity
6.1
Share on: