Drupal Core Open Redirect
Description
Drupal Core contains an open redirect vulnerability in its handling of the destination query parameter. This parameter, intended for internal navigation redirects, does not properly validate URLs and can be exploited to redirect users to external malicious domains. Attackers can craft URLs that appear to originate from the legitimate Drupal site but redirect victims to attacker-controlled domains. For example:
http://www.drupal.local/?destination=https://attacker.com\@www.drupal.local/This URL will redirect users to attacker.com despite appearing to be a legitimate link to the Drupal site.
Remediation
Take the following steps to remediate this vulnerability:
1. Upgrade Drupal Core to the latest stable version that includes fixes for this open redirect vulnerability.
2. Implement URL validation for the destination parameter to ensure it only accepts internal paths. Add server-side validation that:
- Rejects URLs containing external domains
- Blocks requests with multiple forward slashes followed by external domains
- Validates that destination values start with a forward slash and do not contain protocol schemes (http://, https://)
3. Use allowlist-based validation to restrict redirects to known safe paths within your application.
4. Configure Web Application Firewall (WAF) rules to block suspicious patterns in the destination parameter, such as:
- Multiple consecutive forward slashes
- External domain names
- URL-encoded characters that could bypass filters
5. Review application logs for exploitation attempts and monitor for unusual redirect patterns.