Bug #34956 Login redirection vulnerability
Submitted: 29 Feb 2008 5:21 Modified: 3 Mar 2008 15:51
Reporter: Diego Medina Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Websites: MySQLForge Severity:S1 (Critical)
Version:forge1.mysql.com OS:Any
Assigned to: CPU Architecture:Any
Tags: login
Triage: D2 (Serious)

[29 Feb 2008 5:21] Diego Medina
Description:
The login page redirect users to their previous page regardless of the domain name where they come from.

This could allow malicious people to steal user's credentials.

How to repeat:
1- go here http://www.fmpwizard.com/forge.php  (Don't worry, it will not do anything. It will just say things)

2- click the link
3- Enter your login information and click Login
4- You will be redirected back to http://www.fmpwizard.com/forge.php

And if this was a fraudulent site, it could have all the images, colors, everything to look like the real site but have a message like "Password incorrect, please try again"
And after they enter the data, the username/password could be store and then the user could be automatically redirected to the real site and she/he will never know they just gave someone else their credentials.

You may wonder how are people going to click on the link in the first place. It is pretty easy to have a URL like:

http://forge1.mysql.com.login.fmpwizard.com/mysql/login.php

if you are used to checking the beginning of the url and maybe the end of it, you could accidentally click on the fake link. (Specially if you are working late and get an email or something)

Suggested fix:
If the referer url is not part of the mysql.com domain, redirect to a default page.
[29 Feb 2008 5:47] Valeriy Kravchuk
Thank you for a bug report. Verified just as described.
[3 Mar 2008 15:51] Jay Pipes
This was a nasty one.  Most fixes went into cls/peoplehandler.php:display_login() and login().  Full checks now performed for all redirects using parse_url().  The fixes were contained in r368-70.

Thanks Diego for letting us know about this one!