chrismccord

chrismccord

Creator of Phoenix

Security Releases for Phoenix

A minor vulnerability has been disclosed for applications redirecting to URLs provided by user input. Only applications passing user input to Phoenix.Controller.redirect/2 are affected. For example, code such as the following is vulnerable to this disclosure:

redirect(conn, to: params["redirect"])     

We have released new Phoenix versions v1.0.6, v1.1.8, v1.2.3, and v1.3.0-rc.1 which addresses this issue. If you are unable to upgrade, a fix to use in your own application can be found below.

Disclosure

From day one, the Phoenix team designed Phoenix.Controller.redirect/2 to protect against redirects allowing user input to redirect to an external URL where your application code otherwise assumes a local path redirect. This is why the :to option is used for “local” URL redirects and why you must pass the :external option to intentionally allow external URLs to be redirected to. It has been disclosed that carefully crafted user input may be treated by some browsers as an external URL. An attacker can use this vulnerability to aid in social engineering attacks. The most common use would be to create highly believable phishing attacks. For example, the following user input would pass local URL validation, but be treated by Chrome and Firefox as external URLs:

http://localhost:4000/?redirect=/\nexample.com

Not all browsers are affected, but latest Chrome and Firefox will issue a get request for example.com and successfully redirect externally.

  • Versions affected: v1.0.0, v1.0.1, v1.0.2, v1.0.3, v1.0.4, v1.1.0, v1.1.1, v1.1.2, v1.1.3, v1.1.4, v1.1.5, v1.1,6, v1.2.0, v1.2.1, v1.3.0-rc.0
  • Versions fixed: v1.0.5+, v1.1.7+, v1.2.3+, v1.3.0-rc.1+
  • Author: Jeff Dileo
  • Thanks to: Jeff Dileo and his colleagues at the NCC Security Advisory Group

Temporary Fix

If you are able to update via mix and hex, simply run mix deps.update phoenix to jump on the latest point release with this fix. Those unable to upgrade can add the following function and import to their controllers:

import Phoenix.Controller, except: [redirect: 2]

def redirect(conn, opts) do
  to = opts[:to]

  if to && String.contains?(to, "\\") ->
    raise ArgumentError, "unsafe characters detected for local redirect in URL #{inspect to}"
  else
    Phoenix.Controller.redirect(conn, opts)
  end
end

Thank You

I would like to thank the NCC Group for reporting this vulnerability and working with us to harden the Phoenix and Plug code-bases.

NCC Group is a global expert in cyber security and risk mitigation,
working with businesses to protect their brand, value and reputation
against the ever-evolving threat landscape. Our Security Consulting
services leverage our extensive knowledge of current security
vulnerabilities, penetration testing techniques and software development
best practices to enable organizations to secure their applications
against ever-present threats. At NCC Group we can boast unrivaled talent
and recognized world-class security expertise. Bringing together best in
class security consultancies iSEC Partners, Intrepidus Group, Matasano,
NCC Group and NGS we have created one of the largest, most respected
security consultancies in the world.

Where Next?

Popular in Phoenix News Top

chrismccord
As promised, the first release candidate of Phoenix 1.3.0 is out! This release focuses on code generators with improved project structure...
New
chrismccord
The final release of Phoenix 1.7 is out! Most of the new features have been outlined in the 1.7 RC thread, but it has been a few months s...
New
chrismccord
Phoenix 1.4.0 released Phoenix 1.4 is out! This release ships with exciting new features, most notably with HTTP2 support, improved deve...
688 30877 112
New
chrismccord
Phoenix 1.3.5, 1.4.18, 1.5.14, and 1.6.14 have been released to resolve a vulnerability in wildcard check_origin configurations. Previou...
New
chrismccord
You can read the announcement on the blog, but I’ll dup most of it here for discussion purposes: ––––––––––––––––––––––––––––––––––––––...
451 13951 109
New
chrismccord
Check the announcement blog for details! Blog duped here for convenience: Phoenix 1.8.0-rc released! The first release candidate of P...
418 13345 167
New
josevalim
We were notified by Panagiotis Nezis that certain payloads could take a long time to process when converted to integers. New Erlang/OTP v...
New
chrismccord
Hey folks, Phoenix 1.3.0 is out! The final release please brings tweaks to web directory and alias conventions that were estabished in t...
New
chrismccord
LiveView 1.0.0-rc.0 is out! This 1.0 milestone comes almost six years after the first LiveView commit. I published a Phoenix blog highli...
New
chrismccord
I’m pleased to announce the first release candidate of Phoenix 1.6.0 has landed on the heels of a fresh LiveView 0.16 release! This relea...
New

Other popular topics Top

danschultzer
None of the current solutions worked well for me, so I went ahead and built a user management system from scratch. This project took far...
548 29377 241
New
malloryerik
Hi, this is for people who, like me, have had some friction using .html.heex templates in VSCode. The solution seems to be, in a hyphena...
New
minhajuddin
I have seen a lot of code which picks the first element from a list using Enum.at(0) instead of List.first. Is there a reason why people ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
dogweather
I wrote this comment on r/haskell, and it’s not popular there. :wink: But I think I’m on to something… Haskell reminds me of Java, and e...
New

We're in Beta

About us Mission Statement