Skip content
LRQA Cyber Labs

CVE-2020-24550: Open Redirect in Episerver Find

Tom Wedgbury

During the course of our work, we discovered an open redirect vulnerability in Episerver Find.  This has been assigned CVE-2020-24550.

The Episerver platform includes content management, e-commerce functionality, marketing automation, and search and navigation capabilities. Episerver Find provides search functionality within this platform, and offers a .NET client API for developers.

Episerver Find 13.2.6 and below allows an attacker to redirect a user to an arbitrary website. An attacker could exploit this vulnerability to direct users to a malicious site using a link which appears to be legitimate.

Proof of Concept

Episerver Find passes untrusted user input from the _t_redirect URL parameter directly to a redirection function. This allows an attacker to specify an arbitrary URL within this parameter, to which the application will redirect the user.

The example below will redirect the user to https://www.nettitude.com.

https://{vulnerable}/find_v2/_click?_t_id=&_t_q=&_t_hit.id=&_t_redirect=https://www.nettitude.com

The following screenshot shows the HTTP request which occurs when the above link is clicked.

Episerver HTTP Request

The response from the server is consequently as follows.

13.2.6_resp

Affected Component

This vulnerability affects Episerver Find version 13.2.6 and below. The vulnerable package is available from the following URL.

Vulnerable release: https://nuget.episerver.com/package/?id=EPiServer.Find&v=13.2.6

The issue affects the Index action on the Click controller.

Affected method: EPiServer.Find.UI.Controllers.ClickController.Index()

Nettitude decompiled this method to determine the cause of the issue. As shown in the screenshot below, the application creates a 301 redirect (moved permanently) response, assigning the value of the _t_redirect parameter to the Location header.

source_13.2.6

Conclusion

This vulnerability was patched in version 13.2.7 of Episerver Find. The Episerver team were responsive and effective during this disclosure process.

Patched release: https://nuget.episerver.com/package/?id=EPiServer.Find&v=13.2.7

To avoid this type of vulnerability, user input should be strictly validated before being passed to a redirect. Redirect URLs should be relative paths, and any external URLs should be validated against an allow list.

Timeline

The following is an overview of the disclosure timeline.

  1. Patch available (version 13.2.7): 19 May 2020 – already patched
  2. Discovered by Nettitude: 07 July 2020
  3. Reported to vendor: 23 July 2020
  4. CVE-2020-24550 assigned: 19 August 2020
  5. Detailed disclosure: 11 Feb 2021

Latest Cyber Labs articles