More in this section
Forums / Bugs & Issues / Open redirect vulnerability on /Sitefinity/status page

Open redirect vulnerability on /Sitefinity/status page

The forums are in read-only mode. In case that you want to directly contact the Progress Sitefinity team use the support center. In our Google Plus group you can find more than one thousand Sitefinity developers discussing different topics. For the Stack Overflow threads don’t forget to use the “Sitefinity” tag.
1 posts, 0 answered
  1. anmiles
    anmiles avatar
    27 posts
    Registered:
    17 May 2010
    23 Jan 2017
    Link to this post

    Hi there,

    Sitefinity 9.2 has a system page /Sitefinity/Status page with ReturnUrl parameter. It's being shown during application restart, but not only - this page works anytime.

    I noticed that this parameter represents open redirect vulnerability. ReturnUrl is not validated. One can pass any website URL as ReturnUrl parameter - and Sitefinity will redirect it.

    For example /Sitefinity/status?ReturnUrl=http://www.spam.com will redirect to http://www.spam.com

    So anytime phisher can post an URL based on domain of Sitefinity-based website, but this URL will immediately redirect to other website.

    There is no option to switch this redirect off. Modifying HTML of application status page will affect only startup screen but won't affect redirection when site is running. Denying access to /Sitefinity/status page will cause other users see server error page until website start up.

    We invented a dirty workaround: programmatically override route and palmed off our own HTTP handler. But fact is fact: there is a vulnerability that is presented by default on all Sitefinity systems.

     
    fact is fact
1 posts, 0 answered