漏洞URL:
http://urlDomain/LecManager/j_spring_security_check?j_password=123456&j_username=admin&spring-security-redirect=http://www.vulnweb.com
通过该地址可以重定向到http://www.vulnweb.com
解决方案:
修改org.codehaus.groovy.grails.plugins.springsecurity.RedirectUtils的sendRedirect方法,对redirect的地址进行验证,限制只能访问urlDomain及下属URL
static void sendRedirect(
HttpServletRequest request,
HttpServletResponse response,
String url) throws IOException {
String redirect = buildRedirectUrl(request, response, url)
//URL重定向漏洞修复
if(!redirect.contains(request.getServerName())){
redirect = ""
}
response.sendRedirect(response.encodeRedirectURL(redirect))
}