Closed Bug 790099 Opened 13 years ago Closed 10 years ago

Etherpad SecReview - Open Redirect on Sign-in Page

Categories

(Websites Graveyard :: etherpad.mozilla.org, defect)

Product:
Websites Graveyard
Component:
etherpad.mozilla.org
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mfuller, Unassigned)

References

(Blocks 1 open bug)

Details

Filing this bug as a reminder for when I do the sec review. Etherpad allows an open redirect to any website: https://security.etherpad.mozilla.org/ep/account/sign-in?cont=http://bad-site-with-malware.com Doesn't require a signin either. Redirects immediately.
Looks pretty easy to do a check against the configured "topdomains" (e.g. using domainEnabled(request.domain) ) It would be worth looking through the source to see where else redirects are used, I see at least a few places where strings are concatenated so those would need to be traced down. I suspect that all of the old "pro" code was written with the expectation that it would not be public in the way ours is, since it was a paid feature originally...
Assignee: nobody → rhelmer
Status: NEW → ASSIGNED
Hi Robert, Thanks for the reply - don't worry about fixing this at the moment; we're gathering security bugs related to etherpad in prerparation for a full security review and possible switch to etherpad lite or new product due to the number of insecurities in etherpad.
Blocks: etherpad-secreview
Summary: Open Redirect on Etherpad → Etherpad SecReview - Open Redirect on Sign-in Page
Assignee: rhelmer → nobody
Status: ASSIGNED → NEW
This product has been shutdown and is no longer available. For the record, this product is not part of the bug bounty program.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Product: Websites → Websites Graveyard
You need to log in before you can comment on or make changes to this bug.