During the course of our work, we discovered an open redirect vulnerability in Episerver Find. This has been assigned CVE-2020-24550.
The Episerver platform includes content management, e-commerce functionality, marketing automation, and search and navigation capabilities. Episerver Find provides search functionality within this platform, and offers a .NET client API for developers.
Episerver Find 13.2.6 and below allows an attacker to redirect a user to an arbitrary website. An attacker could exploit this vulnerability to direct users to a malicious site using a link which appears to be legitimate.
Proof of Concept
Episerver Find passes untrusted user input from the
_t_redirect URL parameter directly to a redirection function. This allows an attacker to specify an arbitrary URL within this parameter, to which the application will redirect the user.
The example below will redirect the user to https://www.nettitude.com.
The following screenshot shows the HTTP request which occurs when the above link is clicked.
The response from the server is consequently as follows.
This vulnerability affects Episerver Find version 13.2.6 and below. The vulnerable package is available from the following URL.
Vulnerable release: https://nuget.episerver.com/package/?id=EPiServer.Find&v=13.2.6
The issue affects the
Index action on the
Nettitude decompiled this method to determine the cause of the issue. As shown in the screenshot below, the application creates a 301 redirect (moved permanently) response, assigning the value of the
_t_redirect parameter to the
This vulnerability was patched in version 13.2.7 of Episerver Find. The Episerver team were responsive and effective during this disclosure process.
Patched release: https://nuget.episerver.com/package/?id=EPiServer.Find&v=13.2.7
To avoid this type of vulnerability, user input should be strictly validated before being passed to a redirect. Redirect URLs should be relative paths, and any external URLs should be validated against an allow list.
The following is an overview of the disclosure timeline.
- Patch available (version 13.2.7): 19 May 2020 – already patched
- Discovered by Nettitude: 07 July 2020
- Reported to vendor: 23 July 2020
- CVE-2020-24550 assigned: 19 August 2020
- Detailed disclosure: 11 Feb 2021