SS-2014-006: XSS in returnURL redirection

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Low (?)
Identifier:: SS-2014-006
Versions Affected:: 3.0.9, 3.1.3, and all versions before
Versions Fixed:: 3.0.10, 3.1.4
Release Date:: 2014-04-01

If an attacker can set the URL passed to Controller->redirect() and output is sent to the browser before the redirect can occur, the URL may be outputted directly to the browser.

This can potentially be exploited through dev/build, i.e. http://site.com/dev/build?returnURL=/"><h1>Hacked!</h1><!--

If the response is buffered enough that output hasn’t been sent to the browser yet this particular attack vector isn’t available on a stock install, but others may be and it may still be available in customised installs.

The fix is to escape the URL before displaying it to the user.

Download Patch for 3.1 | Download Patch for 3.0

Thanks to Simon Welsh for reporting and providing a patch.