I perceive the world: response.sendRedirect(String location)

Documentation:

So, documentation has a convention about first forward slash in URL, but real behaviour should depend on application server implementation, let’s check different application servers.

-bash-4.1$ cat r.jsp
<%
    response.sendRedirect(request.getParameter("r"));
%>

Weblogic:

-bash-4.1$ curl -I http://192.168.2.52:7002/da/r.jsp?r=http://moviepoopshoot.com
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Wed, 26 Nov 2014 03:26:36 GMT
Transfer-Encoding: chunked
Location: http://moviepoopshoot.com
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1

-bash-4.1$ curl -I http://192.168.2.52:7002/da/r.jsp?r=https://moviepoopshoot.com
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Wed, 26 Nov 2014 03:26:44 GMT
Transfer-Encoding: chunked
Location: https://moviepoopshoot.com
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1

-bash-4.1$ curl -I http://192.168.2.52:7002/da/r.jsp?r=ftp://moviepoopshoot.com
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Wed, 26 Nov 2014 03:27:14 GMT
Transfer-Encoding: chunked
Location: ftp://moviepoopshoot.com
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1

-bash-4.1$ curl -I http://192.168.2.52:7002/da/r.jsp?r=data://moviepoopshoot.com
HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Wed, 26 Nov 2014 03:27:40 GMT
Transfer-Encoding: chunked
Location: data://moviepoopshoot.com
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1

-bash-4.1$ curl -I http://192.168.2.52:7002/da/r.jsp?r=data:moviepoopshoot.com
HTTP/1.1 302 Moved Temporarily
Date: Wed, 26 Nov 2014 03:29:25 GMT
Transfer-Encoding: chunked
Location: http://192.168.2.52:7002/da/data:moviepoopshoot.com
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1

-bash-4.1$ curl -I http://192.168.2.52:7002/da/r.jsp?r=//moviepoopshoot.com
HTTP/1.1 302 Moved Temporarily
Date: Wed, 26 Nov 2014 03:28:30 GMT
Transfer-Encoding: chunked
Location: http://192.168.2.52:7002//moviepoopshoot.com
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/2.5 JSP/2.1

Tomcat:

-bash-4.1$ curl -I http://192.168.2.56:8280/webtop/r.jsp?r=http://moviepoopshoot.com
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: http://moviepoopshoot.com
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Wed, 26 Nov 2014 03:30:49 GMT

-bash-4.1$ curl -I http://192.168.2.56:8280/webtop/r.jsp?r=https://moviepoopshoot.com
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: https://moviepoopshoot.com
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Wed, 26 Nov 2014 03:31:04 GMT

-bash-4.1$ curl -I http://192.168.2.56:8280/webtop/r.jsp?r=ftp://moviepoopshoot.com
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: ftp://moviepoopshoot.com
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Wed, 26 Nov 2014 03:31:24 GMT

-bash-4.1$ curl -I http://192.168.2.56:8280/webtop/r.jsp?r=data://moviepoopshoot.com
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: data://moviepoopshoot.com
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Wed, 26 Nov 2014 03:31:31 GMT

-bash-4.1$ curl -I http://192.168.2.56:8280/webtop/r.jsp?r=data:moviepoopshoot.com
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: data:moviepoopshoot.com
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Wed, 26 Nov 2014 03:31:40 GMT

-bash-4.1$ curl -I http://192.168.2.56:8280/webtop/r.jsp?r=blablabla:moviepoopshoot.com
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: blablabla:moviepoopshoot.com
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Wed, 26 Nov 2014 03:32:00 GMT

-bash-4.1$ curl -I http://192.168.2.56:8280/webtop/r.jsp?r=//moviepoopshoot.com
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Location: http://moviepoopshoot.com
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 0
Date: Wed, 26 Nov 2014 03:32:20 GMT

So, different application servers treat url parameter differently: Tomcat has a special treatment for colon and tho leading slash characters, and I do believe that this behavior conforms to RFC 3986

How does this information relate to Documentum?

Eleven months ago I discovered XSRF a vulnerability in virtuallinkconnect component (now this component is trusted), the vulnerability was tracked as: WEBTOP-28391 (Security vulnerability – user credentials are submitted to the external website), and the remedy from EMC contains a check for “://” sequence in value of redirectUrl parameter 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s