During the course of our work, we discovered an open redirect vulnerability in Episerver Find. This has been assigned CVE-2020-24550.
The Episerver platform includes content management, e-commerce functionality, marketing automation, and search and navigation capabilities. Episerver Find provides search functionality within this platform, and offers a .NET client API for developers.
Episerver Find 13.2.6 and below allows an attacker to redirect a user to an arbitrary website. An attacker could exploit this vulnerability to direct users to a malicious site using a link which appears to be legitimate.
Proof of Concept
Episerver Find passes untrusted user input from the _t_redirect
URL parameter directly to a redirection function. This allows an attacker to specify an arbitrary URL within this parameter, to which the application will redirect the user.
The example below will redirect the user to https://www.nettitude.com.
https://{vulnerable}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&
_t_redirect=https://www.nettitude.com
The following screenshot shows the HTTP request which occurs when the above link is clicked.
The response from the server is consequently as follows.
Affected Component
This vulnerability affects Episerver Find version 13.2.6 and below. The vulnerable package is available from the following URL.
Vulnerable release: https://nuget.episerver.com/package/?id=EPiServer.Find&v=13.2.6
The issue affects the Index
action on the Click
controller.
Affected method: EPiServer.Find.UI.Controllers.ClickController.Index()
Nettitude decompiled this method to determine the cause of the issue. As shown in the screenshot below, the application creates a 301 redirect (moved permanently) response, assigning the value of the _t_redirect
parameter to the Location
header.
Conclusion
This vulnerability was patched in version 13.2.7 of Episerver Find. The Episerver team were responsive and effective during this disclosure process.
Patched release: https://nuget.episerver.com/package/?id=EPiServer.Find&v=13.2.7
To avoid this type of vulnerability, user input should be strictly validated before being passed to a redirect. Redirect URLs should be relative paths, and any external URLs should be validated against an allow list.
Timeline
The following is an overview of the disclosure timeline.
- Patch available (version 13.2.7): 19 May 2020 – already patched
- Discovered by Nettitude: 07 July 2020
- Reported to vendor: 23 July 2020
- CVE-2020-24550 assigned: 19 August 2020
- Detailed disclosure: 11 Feb 2021