Bug 1656881

Summary: Security scanner detects "Unvalidated Redirects and Forwards (spider-param-unchecked-redirect)" vulnerability in RHVM 4.2
Product: Red Hat Enterprise Virtualization Manager Reporter: Sachin Raje <sraje>
Component: ovirt-engineAssignee: Ravi Nori <rnori>
Status: CLOSED ERRATA QA Contact: Jan Zmeskal <jzmeskal>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.2.7CC: cshao, dmoppert, lsvaty, michal.skrivanek, mperina, mtessun, pmatyas, qiyuan, rbarry, Rhev-m-bugs, rhodain, rnori, sraje, usurse, ycui
Target Milestone: ovirt-4.3.0Keywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.3.0_rc Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1660925 (view as bug list) Environment:
Last Closed: 2019-05-08 12:39:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1660925    

Comment 1 Sachin Raje 2018-12-06 15:33:23 UTC 
The security scanner detects the following Vulnerability for RHVM 4.2. :

3.2.15. Unvalidated Redirects and Forwards (spider-param-unchecked-redirect)

Description:

An open redirect vulnerability is an application that takes a parameter and redirects a user to the parameter value, such a Web site,
without validation. Attackers exploit this vulnerability with phishing e-mails that cause users to visit malicious sites inadvertently.
This is one of OWASP Top Ten flaws in the Code Injection category.


References:

OWASP-2010 : https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards

OWASP-2013 : https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards

Vulnerability Solution:

Audit Report

If you cannot avoid user-controlled parameters when calculating the destination of the redirect or forward action, it is recommended that
you make any such parameters mapping values instead of actual URLs or portions of URLs.

Applications can use ESAPI to override the sendRedirect() method to make sure all redirect destinations are safe.
Comment 25 errata-xmlrpc 2019-05-08 12:39:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085