Talos IntelligenceTALOS-2020-1178phpGACL return_page redirection open redirect vulnerability
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.016 Low
EPSS
Percentile
87.3%
Summary
An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7. A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability.
Tested Versions
OpenEMR 5.0.2
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)
phpGACL 3.3.7
Product URLs
<http://phpgacl.sourceforge.net/>
CVSSv3 Score
6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE
CWE-601 - URL Redirection to Untrusted Site (βOpen Redirectβ)
Details
phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List.
The latest version of this library has been found to be used in OpenEMR, as such the tests have been performed against an OpenEMR instance.
The file gacl_admin_api.class.php (in OpenEMR this has been renamed to Gacl/GaclAdminApi.php) defines a return_page function that is supposed to be used to redirect an admin user to a specified page:
function return_page($url="") {
global $_SERVER, $debug;
if (empty($url) AND !empty($_SERVER[HTTP_REFERER])) {
$this->debug_text("return_page(): URL not set, using referer!");
$url = $_SERVER[HTTP_REFERER];
}
if (!$debug OR $debug==0) {
header("Location: $url\n\n"); [1]
} else {
$this->debug_text("return_page(): URL: $url -- Referer: $_SERVER[HTTP_REFERRER]");
}
}
At [1] we can see that the $url passed as argument is used in the location header without any sanitization.
As an example, one instance where this function is used is in admin/acl_list.php:
...
switch ($_GET['action']) {
case 'Delete':
$gacl_api->debug_text('Delete!');
if (is_array ($_GET['delete_acl']) AND !empty($_GET['delete_acl'])) {
foreach($_GET['delete_acl'] as $id) {
$gacl_api->del_acl($id);
}
}
//Return page.
$gacl_api->return_page($_GET['return_page']); [2]
break;
...
The return_page variable is controllable the query string [2], meaning that an attacker could supply a malicious link to the phpGACL instance, which eventually will redirect the user to an arbitrary location controlled by the attacker. This can be abused to conduct phishing attacks and steal credentials.
Additionally, the return_page function should either call exit() or die() before returning, otherwise execution would continue, which could result in unexpected behavior.
Exploit Proof of Concept
The issue above has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL.
An attacker could send the following link to an admin user to reproduce:
http://open-erm.dev/gacl/admin/acl_list.php?action=Delete&return_page=http://open-emr.org&site=default
Clicking on this link will redirect the user to an arbitrary page (in this example βhttp://open-emr.orgβ).
Timeline
2020-10-21 - Vendor Disclosure
2021-01-05 - Vendor Patched
2021-01-27 - Public Release
Related
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.016 Low
EPSS
Percentile
87.3%