CVE-2023-41080 - URL Redirection to Untrusted Site ('Open Redirect') Vulnerability in Apache Tomcat FORM Authentication

The popular web server Apache Tomcat has been identified to have a URL Redirection to Untrusted Site ('Open Redirect') vulnerability (CVE-2023-41080) in its FORM authentication feature. This vulnerability allows attackers to redirect users to untrusted sites by exploiting the login process. In this post, we will delve into the details of this vulnerability and provide insights on how it works, its potential impact, and the affected Tomcat versions.

Vulnerability Description

To understand this vulnerability, let's first look at the concept of 'Open Redirect'. "Open Redirect" is a security flaw wherein an application accepts user-controlled input that specifies a target URL, and then the application redirects the user to the provided URL. Having this flaw, attackers can craft malicious URLs that redirect users to untrusted sites, thus enabling phishing attacks, malware distribution, and other malicious activities.

For Apache Tomcat, the vulnerability resides within its FORM authentication feature. There is a loophole in how the authentication process handles the 'redirect' parameter, which lets an attacker craft a malicious link containing an external URL that leads users to untrusted sites.

8.5. through 8.5.92

It is important to note that this vulnerability is limited to the ROOT (default) web application.

Code Snippet Demonstrating the Vulnerability

@RequestMapping(value = "/login", method = RequestMethod.POST)
public String postLogin(@RequestParam(value = "username") String username,
                        @RequestParam(value = "password") String password,
                        @RequestParam(value = "redirect", required = false) String redirect) {
    // ... authentication logic ...

    // Vulnerable code:
    return "redirect:" + redirect;
}

In the code snippet above, the 'redirect' parameter is directly used to build the response URL without any validation, thereby allowing the crafting of URLs that redirect users to untrusted sites.

Original References

- Apache Tomcat Security Advisory
- CVE-2023-41080 in NIST National Vulnerability Database

Exploit Details

To exploit this vulnerability, an attacker would need to craft a malicious URL that contains an untrusted external domain in the 'redirect' parameter. For example:

https://vulnerable-domain.com/login?username=testuser&password=testpassword&redirect=https://malicious-domain.com

When a user clicks on the malicious link, they will be redirected to the untrusted site (in this case, "malicious-domain.com") after successful authentication, risking exposure to phishing attacks, malware, or other security threats.

Recommendations

If you are using any of the affected Apache Tomcat versions and have deployed the ROOT (default) web application, we strongly recommend taking the following steps to mitigate the risk:

1. Update to the latest version of Apache Tomcat (as per your major version) that contains the patched fix for this vulnerability.
2. Review your code to ensure you are validating and sanitizing user input, particularly for URL redirection, to avoid 'Open Redirect' vulnerabilities.

In conclusion, this vulnerability highlights the importance of validating and sanitizing user input in web applications. While this specific vulnerability affects Apache Tomcat, it serves as a valuable reminder to developers to exercise caution when handling user-provided data, as it can have severe security implications. Make sure to update your Apache Tomcat installations to the latest available versions and always practice secure coding techniques.

Timeline

Published on: 08/25/2023 21:15:09 UTC
Last modified on: 11/03/2023 19:00:56 UTC