CVE-2017-1000163

Name of the Vulnerable Software and Affected Versions Phoenix Framework versions 1.0.0 through 1.1.6 Phoenix Framework versions 1.2.0 through 1.2.2 Phoenix Framework version 1.3.0-rc.0

Description The issue concerns unvalidated URL redirection, which may lead to phishing or social engineering attacks. Specifically, the Phoenix.Controller.redirect/2 function is designed to protect against redirects to external URLs by using the :to option for local URL redirects and requiring the :external option for intentional external redirects. However, it has been found that carefully crafted user input can be treated by some browsers as an external URL, potentially aiding in social engineering attacks, such as highly believable phishing attacks. For instance, the input http://localhost:4000/?redirect=/ example.com can pass local URL validation but be treated by browsers like Chrome and Firefox as an external URL, resulting in a successful external redirect.

Recommendations For Phoenix Framework versions 1.0.0 through 1.1.6, consider disabling the Phoenix.Controller.redirect/2 function until a patch is available to prevent potential external redirects. For Phoenix Framework versions 1.2.0 through 1.2.2, restrict the use of the :to option in Phoenix.Controller.redirect/2 to minimize the risk of external redirects. For Phoenix Framework version 1.3.0-rc.0, avoid using the redirect function with user-inputted URLs until the issue is resolved.