Plone security advisory 20260302

Possible open redirect when using more than 2 forward slashes

Plone security advisory 20260302

Possible open redirect when using more than 2 forward slashes

This is a copy of an advisory published on GitHub today.

Impact

A url /login?came_from=////evil.example may redirect to an external website after login.

Standard Plone is not affected, but if you have customised the login, for example with add-ons, you might be affected. You can try the url to check if you are affected or not.

Patches

The problem has been patched in Products.isurlinportal.

• Plone 6.2: upgrade to Products.isurlinportal 4.0.0.
• Plone 6.1: upgrade to Products.isurlinportal 3.1.0.
• Plone 6.0: upgrade to Products.isurlinportal 2.1.0.
• Older Plone versions don't have security support anymore.

Workarounds

There are no known workarounds.

Background

When you are anonymous and land on a page that requires a login, Plone sends you to the login form. After successful login, Plone redirects you back to the page you came from. Various other forms and pages have a similar system.

This could get abused by an attacker to trick Plone into redirecting to a different website. Plone checks the page that would be redirected to. It is only accepted if it is within the Plone site domain or part of a different trusted domain.

The main check for this is in the Products.isurlinportal package. A lot of potentially malicious urls are already safely rejected, but here a loop hole was found.

This was discovered during a penetration test by the CERT-EU Team.

Thanks to Alessandro Pisa for supplying the fix and tests.