-
Type:
Bug
-
Status: Resolved
-
Priority:
Critical
-
Resolution: Won't Fix
-
Affects Version/s: 8.10, 9.10, 10.3
-
Fix Version/s: None
-
Component/s: Authentication, Login Page, Seam / JSF UI, Security
-
Tags:
-
Backlog priority:700
Extra parameters exist where a field which should be specified only once is specified multiple times, or unexpected arguments are given, or where redundant arguments with different values are given in different places. Applications and protocols must define behavior appropriate to the nature of the parameter wherever such scenarios are possible. The below request will redirect to /nuxeo?id=1. While this is not an exploitable vulnerability, a bug such as this could be leveraged to extend the previous RCE vulnerability via a very convincing phishing attack.
Example request:
POST /nuxeo/nxstartup.faces HTTP/1.1
Host: collaborate-corp-beta.amazon.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip,
Referer: https://collaborate-corp-beta.amazon.com/nuxeo/login2.jsp
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 156
user_name=kmuser&user_password=<Password_Redacted>&language=en_US&requestedUrl=nuxeo/?id=1&forc eAnonymousLogin=&form_submitted_marker=&Submit=Log+In
Recommended fix
Where parameter can be multiply specified, define an order of precedence whereby the most trusted value is used; for example, between a cookie and a query string parameter, trust the cookie. Avoid creating scenarios where redundant input from unexpected sources is possible.
In this specific example, setting a session parameter with the contents of requestUrl, while simultaneously removing requestUrl from the POST request would effectively remediate this issue.