Open Redirect Vulnerability on /sso/{username}/{token}

[NinjaGPT]

Summary

The redirect method has an insecure implementation. Since the redirect parameters are user-controllable, this leads to an Open Redirect vulnerability.

Details

• src/main/java/com/jeesite/modules/sys/web/SsoController.java

	@RequestMapping(value = "sso/{username}/{token}")
	public String sso(@PathVariable String username, @PathVariable String token,
			@RequestParam(defaultValue="${adminPath}/index") String url, String relogin,
			HttpServletRequest request, HttpServletResponse response, Model model){
		// 如果已经登录，并且是同一个人，并且不强制重新登录，则直接跳转到目标页
		User user = UserUtils.getUser();
		if(StringUtils.isNotBlank(user.getUserCode())
				&& StringUtils.equals(user.getLoginCode(), username)
				&& !ObjectUtils.toBoolean(relogin)){
			if (ServletUtils.isAjaxRequest(request)){
				return ServletUtils.renderResult(response, Global.TRUE, text("账号已登录"));
			}else{
				return REDIRECT + EncodeUtils.decodeUrl2(url);
			}
		}
		// 通过令牌登录系统
		if (token != null){
			try {
				// FormToken 构造方法的三个参数：登录名、单点登录的令牌秘钥、请求对象
				UserUtils.getSubject().login(new FormToken(username, token, request));
				request.setAttribute("__url", EncodeUtils.decodeUrl2(url));
				FormFilter.onLoginSuccess(request, response);
	        } catch (AuthenticationException e) {
	        	FormFilter.onLoginFailure(e, request, response);
	        }
			return null;
		}
		return "error/403";
	}

POC

http://127.0.0.1:8980/js/sso/system/x?url=http://google.com/&relogin=0

Impact

https://www.invicti.com/learn/open-redirect-open-redirection/

[think-gem]

3d06b8d