Unvalidated redirect used during authentication handshake between ChannelManager and Site

Issue date: 28-04-2017
Affects versions: 11.1, 10.2, 7.9

Issue ID SECURITY-27

Affected Product Version(s)
This vulnerability applies to CMS 7.9.16, CMS 10.2.4, CMS 11.1.1 and earlier versions

Severity
Normal

Description

Within the CMS application the ChannelManager and the Site application perform a client-side authentication handshake during startup of a CMS user session. This handshake used an unvalidated redirectUrl parameter, potentially allowing to be used with phishing or social engineering attacks to redirect a user to a malicious website.

Instructions

Hippo has implemented a fix for this vulnerability across all supported versions and has provided new maintenance releases to be able to upgrade and close this vulnerability in your implementation of Hippo.

The solution to this vulnerability requires no changes to the Hippo based projects themselves other than upgrading to the latest Hippo maintenance release CMS 11.1.2, CMS 10.2.5 or CMS 7.9.17.
Note that the latest CMS 11.2 minor release already incorporated this fix and therefore doesn't require upgrading.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Understand Hippo

Implement Hippo

Extend Hippo

Integrate Hippo

Run Hippo

Upgrade Hippo

Develop Hippo

Use Hippo

Report an Issue

Bloomreach Documentation version

Unvalidated redirect used during authentication handshake between ChannelManager and Site