SS-2018-008: BackURL validation bypass with malformed URLs

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: High (?)
Identifier:: SS-2018-008
Versions Affected:: silverstripe/framework:^4.0
Versions Fixed:: silverstripe/framework:4.0.4, silverstripe/framework:4.1.1
Release Date:: 2018-05-28

A carefully constructed malformed URL can be used to circumvent the offsite redirection protection used on BackURL parameters. This could lead to users entering sensitive data in malicious websites instead of the intended one.

Reported by Mustafa Hasan