Hello all,
We just released a change (the patch is attached to this post) for a security vulnerability in the edx-platform with /login, /logout, and /register endpoints. See the attachment below for a patch for the current release and for the Olive release.
Without this patch, it is possible to redirect the user to any website and to execute javascript functions in the next and redirect_url query params.
While we had code in place to filter redirect URLs that are safe but URLs containing whitespaces characters were still able to pass through the filter
Affected URLs:
https://courses.edx.org/logout?next=/%09/google.com/
https://courses.edx.org/logout?next=java%0D%0Ascript%0D%0A%3aalert(document.domain).
Our fix ensures that the unsafe bytes are removed from the target URL before filtering and redirection.
The fix is already public on the openedx edx-platform and olive master branch. If you are using master or olive, please update or apply the patch as soon as possible.
xss_open_redirect_vul.patch.gz (879 Bytes)
Thanks,
Syed Sajjad Hussain Shah
edX Activate Squad
P.S. Patch is attached in gzip form to prevent Google Groups from modifying the patch’s line endings.