Fixes session hijacking via open redirection

slackero · Aug 14, 2021 · 45171f6 · 45171f6
1 parent 826fc72
commit 45171f6
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/include/inc_lib/revision/revision.php b/include/inc_lib/revision/revision.php
@@ -10,5 +10,5 @@
  **/
 
 define('PHPWCMS_VERSION', '1.9.25-dev');
-define('PHPWCMS_RELEASE_DATE', '2021/08/09');
+define('PHPWCMS_RELEASE_DATE', '2021/08/14');
 define('PHPWCMS_REVISION', '552');
diff --git a/login.php b/login.php
@@ -75,10 +75,11 @@
 $wcs_user   = '';
 
 // where user should be redirected too after login
-if(!empty($_POST['ref_url'])) {
-    $ref_url = xss_clean($_POST['ref_url']);
-} elseif(!empty($_GET['ref'])) {
-    $ref_url = xss_clean(rawurldecode($_GET['ref']));
+if(isset($_POST['ref_url']) || isset($_GET['ref'])) {
+    $ref_url = xss_clean(empty($_POST['ref_url']) ? rawurldecode($_GET['ref']) : $_POST['ref_url']);
+    if (substr($ref_url, 0, strlen(PHPWCMS_URL)) !== PHPWCMS_URL) {
+        $ref_url = '';
+    }
 } else {
     $ref_url = '';
 }