Unvalidated redirect used during authentication handshake between ChannelManager and Site
Issue date: 28-04-2017Affects versions: 11.1, 10.2, 7.9
Issue ID SECURITY-27
Affected Product Version(s)
This vulnerability applies to CMS 7.9.16, CMS 10.2.4, CMS 11.1.1 and earlier versions
Severity
Normal
Description
Within the CMS application the ChannelManager and the Site application perform a client-side authentication handshake during startup of a CMS user session. This handshake used an unvalidated redirectUrl parameter, potentially allowing to be used with phishing or social engineering attacks to redirect a user to a malicious website.
Instructions
Hippo has implemented a fix for this vulnerability across all supported versions and has provided new maintenance releases to be able to upgrade and close this vulnerability in your implementation of Hippo.
The solution to this vulnerability requires no changes to the Hippo based projects themselves other than upgrading to the latest Hippo maintenance release CMS 11.1.2, CMS 10.2.5 or CMS 7.9.17.
Note that the latest CMS 11.2 minor release already incorporated this fix and therefore doesn't require upgrading.