You are here

Home › Open Redirect Vulnerabilities

Open Redirect Vulnerabilities

Submitted on 3. April 2020 - 11:50 by rischi.
Last update on 7. April 2020 - 13:06.
IDs: 
CVE-2020-1927, CVE-2019-10098
Keywords: 
apache, httpd, mod_rewrite, redirect
Description: 

The module mod_rewrite in Apache httpd is affected by an open redirect vulnerability (CVE-2020-1927, CVE-2019-10098). Such redirects can be configured on the virtual host in the WAF Configuration Center [1].

Depending on the configured redirects, an attacker may be able to craft an URL that gets transformed by Airlock WAF to an URL that points to an attacker controlled destination. Note that open redirect vulnerabilities are especially useful for attackers trying to conduct phishing campains.

With the Apache httpd update 2.4.43 mod_rewrite was changed to prevent some common mistakes related to insecure redirect configurations. But since this fix will not prevent open redirect vulnerabilities in general, we recommend to check your configuration manually.

Resolution: 

We recommend to check your redirect settings in all virtual hosts (tab "Advanced") or on the Configuration Summary Page in section "Path Rewrites".

If you are not using backreferences like $1, $2, ..., $N, your configuration is safe.

If you are using backreferences you have to think whether an attacker is able to craft an URLs that will be transformed to a malicious URL, e.g. a URL that points to an attacker controlled host.

Examples [2]

R: Redirect setting [from => to]
E: Exploit example (URL to be transformed by Airlock WAF
D: Resulting redirect URL

R: ^/oldwebsite(.*) => $1
E: https://redirect.local/oldwebsitehttp://evilwebsite.com/
D: http://evilwebsite.com/

R: ^/page(.*) => $1.html
E: https://redirect.local/pagehttp://evilwebsite.com/evil
D: http://evilwebsite.com/evil.html

R: ^/api/(.*)/(.*) => http://$1:8080/$2
E: https://redirect.local/api/evilwebsite.com/foo
D: http://evilwebsite.com:8080/foo

R: (.*)$ => https://redirect.local$1
E: https://redirect.local/%0a.evilwebsite.com
D: https://redirect.local.evilwebsite.com

R: (.*)$ => https://redirect.local:443$1
E: https://redirect.local/%0afoo@0day.work
D: https://redirect.local:443foo@0day.work

If you found an insecure redirect we recommend changing it so that an attacker can not control critical parts of the destination URL like protocol, hostname, port or basic auth username/password.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock
Reference: 
[1] Apache HTTP Server 2.4 vulnerabilities
[2] Open Redirects In Improperly Configured mod_rewrite Rules (PoC for CVE-2019-10098?)
© Ergon Informatik AG