Vulnerability detected: redirect to external domain exploited by bots #38
Description
Hello, Patrick.
On one of my websites, it seems bots have exlpoited a vulnerability of the plugin, where it is possible for them to pass a redirect to an external domain.
I've fixed the code on my fork, but I wanted to leave a track here too (although I know you're not maintaining this plugins anymore, here).
In controllers/SetlocaleController.php,
if (empty($url)) {
$referer = $request->getHeader('Referer');
$url = $this->getParam('redirect', $referer) ?: '/';
}
should be replaced by
if (empty($url)) {
$referer = $request->getHeader('Referer');
$redirect = $this->getParam('redirect', $referer) ?: '/';
// Validation: only accepts relative URLs or from the same domain
$parsedRedirect = parse_url($redirect);
$parsedBase = parse_url(WEB_ROOT);
if (empty($parsedRedirect['host']) ||
$parsedRedirect['host'] === $parsedBase['host']) {
$url = $redirect;
} else {
$url = '/'; // external redirect: go back to the homepage
}
}
Hope this helps. Thanks for the plugin, btw ;-)