Issue #1311: Fixed an open redirect in ExternalURLJump. Thanks to ama…

…mmad for disclosing it to us.
RotherOSS · Oct 8, 2021 · de22bd9 · de22bd9
1 parent 741a845
commit de22bd9
Showing 1 changed file with 25 additions and 1 deletion.
diff --git a/Kernel/Modules/ExternalURLJump.pm b/Kernel/Modules/ExternalURLJump.pm
@@ -20,7 +20,9 @@ use strict;
 use warnings;
 
 our @ObjectDependencies = (
+    'Kernel::Config',
     'Kernel::Output::HTML::Layout',
+    'Kernel::System::Log',
     'Kernel::System::Web::Request',
 );
 
@@ -39,10 +41,32 @@ sub Run {
 
     my $LayoutObject = $Kernel::OM->Get('Kernel::Output::HTML::Layout');
     my $ParamObject  = $Kernel::OM->Get('Kernel::System::Web::Request');
+    my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
 
     my $ExtURL = $ParamObject->GetParam( Param => 'URL' );
 
-    return $LayoutObject->Redirect( ExtURL => $ExtURL );
+    # check whether the URL is defined in the Config - prevents using OTOBO for phishing attacks
+    my $NavAgent    = $ConfigObject->Get('Frontend::Navigation');
+    my $NavCustomer = $ConfigObject->Get('CustomerFrontend::Navigation');
+
+    my @URLSets = ( $NavAgent && $NavAgent->{ExternalURLJump} ) ? ( values %{ $NavAgent->{ExternalURLJump} } ) : ();
+    push @URLSets, ( $NavCustomer && $NavCustomer->{ExternalURLJump} ) ? ( values %{ $NavCustomer->{ExternalURLJump} } ) : ();
+
+    for my $Set ( @URLSets ) {
+        LINK:
+        for my $Links ( @{ $Set } ) {
+            next LINK if $Links->{Link} !~ /$ExtURL/;
+
+            return $LayoutObject->Redirect( ExtURL => $ExtURL );
+        }
+    }
+
+    $Kernel::OM->Get('Kernel::System::Log')->Log(
+        Priority => 'info',
+        Message  => "Prevented ExternalURLJump to '$ExtURL' because the link is not configured.",
+    );
+
+    return $LayoutObject->Redirect( OP => ' ' );
 }
 
 1;