From de22bd995414e45f2ed60efaee4c3e62f7800dff Mon Sep 17 00:00:00 2001 From: Sven Date: Fri, 8 Oct 2021 14:06:27 +0200 Subject: [PATCH] Issue #1311: Fixed an open redirect in ExternalURLJump. Thanks to amammad for disclosing it to us. --- Kernel/Modules/ExternalURLJump.pm | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/Kernel/Modules/ExternalURLJump.pm b/Kernel/Modules/ExternalURLJump.pm index 72daba1c98..125e778e33 100644 --- a/Kernel/Modules/ExternalURLJump.pm +++ b/Kernel/Modules/ExternalURLJump.pm @@ -20,7 +20,9 @@ use strict; use warnings; our @ObjectDependencies = ( + 'Kernel::Config', 'Kernel::Output::HTML::Layout', + 'Kernel::System::Log', 'Kernel::System::Web::Request', ); @@ -39,10 +41,32 @@ sub Run { my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout'); my $ParamObject = $Kernel::OM->Get('Kernel::System::Web::Request'); + my $ConfigObject = $Kernel::OM->Get('Kernel::Config'); my $ExtURL = $ParamObject->GetParam( Param => 'URL' ); - return $LayoutObject->Redirect( ExtURL => $ExtURL ); + # check whether the URL is defined in the Config - prevents using OTOBO for phishing attacks + my $NavAgent = $ConfigObject->Get('Frontend::Navigation'); + my $NavCustomer = $ConfigObject->Get('CustomerFrontend::Navigation'); + + my @URLSets = ( $NavAgent && $NavAgent->{ExternalURLJump} ) ? ( values %{ $NavAgent->{ExternalURLJump} } ) : (); + push @URLSets, ( $NavCustomer && $NavCustomer->{ExternalURLJump} ) ? ( values %{ $NavCustomer->{ExternalURLJump} } ) : (); + + for my $Set ( @URLSets ) { + LINK: + for my $Links ( @{ $Set } ) { + next LINK if $Links->{Link} !~ /$ExtURL/; + + return $LayoutObject->Redirect( ExtURL => $ExtURL ); + } + } + + $Kernel::OM->Get('Kernel::System::Log')->Log( + Priority => 'info', + Message => "Prevented ExternalURLJump to '$ExtURL' because the link is not configured.", + ); + + return $LayoutObject->Redirect( OP => ' ' ); } 1;