User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.155 Safari/537.22 Steps to reproduce: 'next' parameter in the support.mozilla.org login page is vulnerable to open redirect vulnerability. This would allow an attacker to redirect the user to a malicious site without realizing it. Steps to reproduce: 1. Go to URL - https://support.mozilla.org/en-US/users/auth?next=//www.google.com 2. Enter the credentials to login. 3. After login, notice that it redirects the user to a third party website. In this case I have redirected to google.com. Actual results: 'next' parameter is not validating the user input properly. Expected results: 'next' parameter shouldn't accept direct URLs.
assigning to rforbes for verification
confirmed, this works.
Sorry, I didn't CC the right people on this. I believe this line is the issue: https://github.com/mozilla/kitsune/blob/master/apps/sumo/utils.py#L124 Protocol-relative URLs fail the "if parsed_url.scheme" test. Replacing this block with "if not is_safe_url(url): url = None" should work, unless there are reasons to ever accept URLs with hostnames. The login/logout URL check may or may not be worth keeping (does it even work right now with localized URLs?). See also bug 847190 in MDN.
In a pull request: https://github.com/mozilla/kitsune/pull/1237 Nice to be able to hand most of the real work off to a Django utility.
Deployed to production just now.
These bugs are all resolved, so I'm removing the security flag from them.