Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-11589

URL params should be scrubbed for HTML injection when redirecting HTTP -> HTTPS

          Details

          • Type: Bug
          • Status: Open
          • Priority: Trivial
          • Resolution: Unresolved
          • Affects Version/s: 4.2.6
          • Fix Version/s: Unscheduled
          • Component/s: Core CiviCRM
          • Labels:
            None
          • Versioning Impact:
            Patch (backwards-compatible bug fixes)

            Description

            When "Force Secure URLs" is enabled, CiviCRM redirects HTTP requests to HTTPS. If the request had URL params with injected HTML, the same injected HTML appears in the "Location:" header of the redirect response.

            I don't believe there is a real vulnerability here, but some PCI compliance scanners will flag this and fail the scan. I've successfully disputed with our scan vendor, but we should also consider scrubbing injected HTML from redirect responses.

              Attachments

                Activity

                  People

                  • Assignee:
                    Unassigned
                    Reporter:
                    jcm55 Jim Meehan
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    2 Start watching this issue

                    Dates

                    • Created:
                      Updated: