Skip to content

Glassfish redirect to untrusted site

Product Line: Eclipse GlassFish

• Vulnerable Version: 7.0.15

• Summary: The Host HTTP parameter could cause the web application to redirect to the specified URL, when the requested endpoint is '/management/domain'. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

• Prerequisites: No special configurations are required.

Step-by-step instructions and PoC

The application presents an Open Redirect on the Host parameter, when the /management/domain endpoint is requested via an HTTP GET request.

Affected Endpoints

URL: https://[IP]:[PORT]/management/domain
HTTP Parameter: Host
GET /management/domain HTTP/1.1
Host: google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
Firefox/115.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/
*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1

Below is the evidence with the vulnerability details and the payloads used. (image)

To perform this attack, the attacker does not need to be authenticated to the target application.

Security Impact

An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Remediation Steps

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways: • Remove the redirection function from the application and replace links to it with direct links to the relevant target URLs. • Maintain a server-side list of all URLs that are permitted for redirection. Instead of passing the target URL as a parameter to the redirector, pass an index into this list

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent