|Requires Admin Access:
|Internal Security Team
dotCMS needs to ensure application cannot redirect to external sites and Redirects using the referer parameter need to be checked against a lookup table of known-pages for redirection.
It is possible to utilise the application to redirect a user's browser to an external web site. This could potentially enable an attacker to trick a user into accessing a hostile web site which could be used to recover their logon credentials. The application was discovered to redirect users to alternative pages based upon the value passed in the referer HTTP GET parameter. The vulnerable script and parameter are listed here:
Update the affected JSP sub_nav_refresh_host.jsp and strip the host out of the passed in referer. This jsp can be overridden by a plugin.