Compliance Impact

This open redirect vulnerability could be exploited by attackers to redirect authenticated users to malicious external sites, potentially facilitating phishing attacks or delivery of malicious content.

Such exploitation may lead to unauthorized disclosure or compromise of user credentials or sensitive information, which can negatively impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding user data and preventing unauthorized access.

Therefore, the vulnerability poses a risk to maintaining the security controls necessary for compliance with these standards, as it undermines user trust and the integrity of authentication flows.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation involves applying the patch that validates the pre_login_requested_url session value before redirecting.

The patch includes decoding and parsing the URL, rejecting URLs with schemes, hosts, user components, missing or non-local paths, and protocol-relative forms.

If patching is not immediately possible, consider implementing temporary input validation to ensure redirect URLs are local paths only.

Additionally, educate users about phishing risks related to open redirects and monitor for suspicious redirect behavior.

Useful 0 Not Useful 0

Executive Summary

This vulnerability is an open redirect issue in the MISP application's UsersController::routeafterlogin() function. It occurs because the application uses the value stored in the pre_login_requested_url session key as the destination URL after a user logs in, without properly verifying that this URL is a local path within the application.

An attacker can craft a malicious link that directs a user to a trusted MISP instance, and after the user logs in, the application redirects them to an external URL controlled by the attacker. This can be exploited to make phishing attacks more convincing, redirect users to fake login pages, or deliver malicious content from untrusted domains.

The vulnerability is addressed by validating and parsing the URL to reject any that contain schemes, hosts, user information, or non-local paths, including protocol-relative URLs like //example.com or /\example.com.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by enabling attackers to redirect authenticated users to malicious external websites after login. This can increase the success of phishing attacks by leveraging the trust users have in the legitimate MISP instance.

Users might be redirected to counterfeit login pages designed to steal credentials or to sites that deliver malicious content, potentially leading to credential compromise, malware infection, or other security breaches.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious URLs used in the pre_login_requested_url session key that lead to external domains after login.

One approach is to analyze web server logs or application logs for redirect URLs that contain external hosts or schemes instead of local application paths.

Commands to assist detection could include searching logs for redirect parameters or session values containing suspicious URL patterns.

• Using grep or similar tools to find redirect URLs with external domains, e.g., `grep -E 'pre_login_requested_url=.*(http|//|\\)' /path/to/logs`
• Inspecting session data or application logs for URLs that do not start with a forward slash or contain host/scheme components.

Useful 0 Not Useful 0