1656881 – Security scanner detects "Unvalidated Redirects and Forwards (spider-param-unchecked-redirect)" vulnerability in RHVM 4.2

Bug 1656881 - Security scanner detects "Unvalidated Redirects and Forwards (spider-param-unchecked-redirect)" vulnerability in RHVM 4.2

Summary: Security scanner detects "Unvalidated Redirects and Forwards (spider-param-un...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	4.2.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ovirt-4.3.0
Target Release:	---
Assignee:	Ravi Nori
QA Contact:	Jan Zmeskal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1660925
TreeView+	depends on / blocked

Reported:	2018-12-06 15:31 UTC by Sachin Raje
Modified:	2019-05-08 12:39 UTC (History)
CC List:	15 users (show)
Fixed In Version:	ovirt-engine-4.3.0_rc
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1660925 (view as bug list)
Environment:
Last Closed:	2019-05-08 12:39:09 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2019:1085	None	None	None	2019-05-08 12:39:19 UTC
oVirt gerrit	96274	master	MERGED	aaa: Remove engine_url reference from Engine SSO	2018-12-18 15:34:50 UTC
oVirt gerrit	96275	master	MERGED	aaa: Remove engine_url from login servlets	2018-12-18 15:34:53 UTC
oVirt gerrit	96276	master	MERGED	aaa: Send Error with message for invalid Authorize requests	2018-12-18 15:34:55 UTC
oVirt gerrit	96277	master	MERGED	aaa: Add Bad Request custom page	2018-12-18 15:34:57 UTC
oVirt gerrit	96684	master	MERGED	aaa: Fix login and credentialsChange jps to render proper engine URL	2019-01-08 13:17:45 UTC

Comment 1 Sachin Raje 2018-12-06 15:33:23 UTC

The security scanner detects the following Vulnerability for RHVM 4.2. :

3.2.15. Unvalidated Redirects and Forwards (spider-param-unchecked-redirect)

Description:

An open redirect vulnerability is an application that takes a parameter and redirects a user to the parameter value, such a Web site,
without validation. Attackers exploit this vulnerability with phishing e-mails that cause users to visit malicious sites inadvertently.
This is one of OWASP Top Ten flaws in the Code Injection category.


References:

OWASP-2010 : https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards

OWASP-2013 : https://www.owasp.org/index.php/Top_10_2013-A10-Unvalidated_Redirects_and_Forwards

Vulnerability Solution:

Audit Report

If you cannot avoid user-controlled parameters when calculating the destination of the redirect or forward action, it is recommended that
you make any such parameters mapping values instead of actual URLs or portions of URLs.

Applications can use ESAPI to override the sendRedirect() method to make sure all redirect destinations are safe.

Comment 25 errata-xmlrpc 2019-05-08 12:39:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:1085

Note You need to log in before you can comment on or make changes to this bug.