CVE-2023-28370 - Open Redirect Vulnerability in Tornado 6.3.1 and Earlier Affects User Security and Poses a Phishing Threat

The security research community has recently identified an open redirect vulnerability, registered as CVE-2023-28370, which affects Tornado versions 6.3.1 and earlier. This vulnerability poses a significant security risk, as it allows a remote, unauthenticated attacker to redirect users to arbitrary websites and potentially conduct phishing attacks. In this post, we'll dive into the technical details of CVE-2023-28370, explore its implications for Tornado users, provide some code snippets to better understand the issue, and link to original references for further reading.

Understanding the Vulnerability

Open redirect vulnerabilities occur when a web application accepts user input and subsequently redirects the user to a URL that is controlled or influenced by that input. In the case of CVE-2023-28370, the vulnerability exists because Tornado processes HTTP requests improperly and, as a result, can easily be influenced to redirect a user to a URL specified by a remote attacker.

When left unaddressed, open redirect vulnerabilities have the potential to facilitate the distribution of malware or conduct phishing campaigns, as the attacker redirects users to malicious websites under the guise of a legitimate Tornado application. Users get tricked into providing sensitive information, like passwords or credit card details, to the malicious websites, believing they are on a trusted web app.

The code snippet below illustrates the vulnerable behavior in Tornado versions 6.3.1 and earlier

class RedirectHandler(tornado.web.RequestHandler):
    def get(self):
        url = self.get_argument("url")
        self.redirect(url)

application = tornado.web.Application([
    (r"/redirect", RedirectHandler),
])

In this example, the RedirectHandler class receives the url parameter from the user's input as an argument and then calls the redirect method to redirect the user to the specified URL. This vulnerable code would allow an attacker to craft a URL that forces users to access and interact with malicious websites.

Exploit Details

To exploit this vulnerability, an attacker can craft a malicious URL with user input that includes the location of the phishing or malicious website. Here's an example:

http://evil.site/phishing" rel="nofollow">http://vulnerable.tornadoapp.com/redirect?url=http://evil.site/phishing

When the unsuspecting user clicks this link, they will be redirected to the attacker-controlled website (http://evil.site/phishing), where phishing attacks or malware delivery can take place.

Here are some links to original references related to CVE-2023-28370 for further reading

1. Vulnerability Disclosure from Tornado: http://www.tornadoweb.org/en/stable/releases/v6.3.1.html
2. CVE Details on CVE-2023-28370: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28370
3. National Vulnerability Database Entry: https://nvd.nist.gov/vuln/detail/CVE-2023-28370

Conclusion

CVE-2023-28370 is a significant open redirect vulnerability that affects Tornado versions 6.3.1 and earlier. Users and developers who use Tornado are strongly advised to review their applications and update to the latest version (at least 6.4.) to mitigate the potential risks associated with this vulnerability. Additionally, it's crucial that users remain vigilant against potential phishing attacks and always ensure they trust the source of a URL before providing any personal information.

Timeline

Published on: 05/25/2023 10:15:00 UTC
Last modified on: 06/01/2023 13:04:00 UTC