5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.016 Low
EPSS
Percentile
87.3%
An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7. A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability.
OpenEMR 5.0.2
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)
phpGACL 3.3.7
<http://phpgacl.sourceforge.net/>
6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-601 - URL Redirection to Untrusted Site (βOpen Redirectβ)
phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List.
The latest version of this library has been found to be used in OpenEMR, as such the tests have been performed against an OpenEMR instance.
The file gacl_admin_api.class.php
(in OpenEMR this has been renamed to Gacl/GaclAdminApi.php
) defines a return_page
function that is supposed to be used to redirect an admin user to a specified page:
function return_page($url="") {
global $_SERVER, $debug;
if (empty($url) AND !empty($_SERVER[HTTP_REFERER])) {
$this->debug_text("return_page(): URL not set, using referer!");
$url = $_SERVER[HTTP_REFERER];
}
if (!$debug OR $debug==0) {
header("Location: $url\n\n"); [1]
} else {
$this->debug_text("return_page(): URL: $url -- Referer: $_SERVER[HTTP_REFERRER]");
}
}
At [1] we can see that the $url
passed as argument is used in the location header without any sanitization.
As an example, one instance where this function is used is in admin/acl_list.php
:
...
switch ($_GET['action']) {
case 'Delete':
$gacl_api->debug_text('Delete!');
if (is_array ($_GET['delete_acl']) AND !empty($_GET['delete_acl'])) {
foreach($_GET['delete_acl'] as $id) {
$gacl_api->del_acl($id);
}
}
//Return page.
$gacl_api->return_page($_GET['return_page']); [2]
break;
...
The return_page
variable is controllable the query string [2], meaning that an attacker could supply a malicious link to the phpGACL instance, which eventually will redirect the user to an arbitrary location controlled by the attacker. This can be abused to conduct phishing attacks and steal credentials.
Additionally, the return_page
function should either call exit()
or die()
before returning, otherwise execution would continue, which could result in unexpected behavior.
The issue above has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL.
An attacker could send the following link to an admin user to reproduce:
http://open-erm.dev/gacl/admin/acl_list.php?action=Delete&return_page=http://open-emr.org&site=default
Clicking on this link will redirect the user to an arbitrary page (in this example βhttp://open-emr.orgβ).
2020-10-21 - Vendor Disclosure
2021-01-05 - Vendor Patched
2021-01-27 - Public Release
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.016 Low
EPSS
Percentile
87.3%