Easyadminbundle: [XSS] - referer parameter is not secured

Although you are 100% correct technically speaking, I'd like to make two comments:

1) This bundle is used to create backends, which are private and accessed only by your company employees.
2) How can a malicious employee change the referrer value to javascript%3aalert(1)%2f%2fasbruhdu?

I need a reproducer because I want to understand whether this is a theoretical issue "impossible" to reproduce in real world or a real issue. Thanks!

hi,
for the 1. point i am totally agree with you, our backend require authentification and access is filtered by IP but security team doesn't really care about those things 😄.
I have open the issue because not everybody have as many security protection.

For the 2. point i could guess a scenario like this :
Malicious Employee 1 with read acces to a list of item managed by EasyAdmin
Over confident Employe 2 with write acces to the same list of item

Employe 1 a can send a email to employe 2 with a link formated like this

Hello Employe 2, could you look a the item XXXX, i think the price is wrong

just look at the url and the referer parameter has been remplace by javascript injection

with a link like that the employe 1 can make employe 2 make anything on the site

I agree we should do something about this. As explained, it should not a critical security issue for most backends ... but we should fix it. How could we do that?

first thing : referer doesn't seem to be documented right ? can't be configured on any yaml file.

for what i see about this referer parameter it is just a link to the previous "action" done on the entitie. Most of the time it is the list action, perhaps we could store in the parameter the previous action name (list, edit, etc ) en generate the link with this action when needed ?

another solution is what we have done with my client, we check the content of the parameters, if it is not a relative url starting with the easyadmin route prefix, we throw an exception (we can also check for absolute url starting with current scheme+host )

I am a bit surprised that this issue has been sidelined so long: this is a critical security bug.

@nescim This can be explained and we call it "open source". If no one reports or submits PR, the problem remains

I randomly read this issue. I am not too familiar with all the cases where this is used, but couldn't we just replace the referrer by javascript:history.back()?

I randomly read this issue. I am not too familiar with all the cases where this is used, but couldn't we just replace the referrer by javascript:history.back()?

I thought about that too; it is used in the new, edit and delete flow where the server issues a GET redirect after receiving and processing the POST request. (It is also used directly in a few templates where one could use your suggestion).

More practically, all it takes is to escape the referrer variable with the html_attr filter in Twig. I did it in my project but didnt't make that into a pull request because my templates are heavily customized (I removed the sidebar for a top menu and, unfortunately, I have to support IE11, so I had to change them quite a lot).

For the record, the referrer in <a> tags is escaped in EasyAdmin 2, so it should also be escaped in EasyAdmin 3.

On OpenResty server, it's not possible to access the url below because of unescaped characters '/' in referer parameter in the url :
(...)&referrer=http://domain.fr/fr/admin?crudAction (...) and we get a 502 http response

If I replace by %2f these unescaped characters, that works - is it possible to fix that ? Thanks