Project

General

Profile

Bug #11843

Updated by Jim Pingle almost 3 years ago

The value of @redirurl@ is passed as-is from the client URL into a page result served to users in certain cases. If a logged-in captive portal user visits a manually crafted URL which contains a malicious value for @redirurl@, and then follows the resulting link, it could lead to JS code being executed in their browser. 

 It does not appear to be possible to automatically trigger the behavior or to have it be populated from the CP configuration, due to other unrelated issues (#11842 for one example) and browser behaviors. For example, the browser would refuse to redirect and instead would display a protocol violation error. 

 To test the behavior: 

 * Configure and enable a basic captive portal instance for LAN (authentication can be disabled to keep it simple) 
 * From a client on LAN, login to the portal 
 * From the client, load the following URL: @<portal URL>/index.php?zone=<zone name>&redirurl=javascript:alert(location)@ 
   For example: @http://192.168.1.1:8002/index.php?zone=guests&redirurl=javascript:alert(location)@ 
 * The page will output a message stating "You are connected" including a link to the contents of @redirurl@ 
 * From the client, click the link. The JS is executed. 

 If the contents of @redirurl@ are not a URL, the link should be omitted.

Back