Global Redirect - Moderately critical - Server Side Request Forgery

Project

Global Redirect

Date

May 07, 2025

Severity

Moderately Critical

Risk Score

10 ∕ 25 AC:None/A:None/CI:None/II:None/E:Theoretical/TD:Uncommon

Vulnerability

Server Side Request Forgery (SSRF) / Open Redirect

Affected versions

<=7.x-1.6

Description

Global Redirect is susceptible to a Server Side Request Forgery (SSRF) when used in combination with remote_stream_wrapper project.

This vulnerability is mitigated by that fact that globalredirect must be configured to use the deslash (/) setting and have installed remote_stream_wrapper. Sites without these combinations are not effected.

Solution

Install the latest version: 7.x-1.7.

If you use the PROJECT_NAME module for Drupal 7, upgrade to PROJECT_NAME 7.x-A.B:

globalredirect-7.x-1.7.tar.gz
globalredirect-7.x-1.7.zip

Reported by

Dave Reid (dave reid)

Fixed by

Dan Feder (dafeder)

Coordinated by

Tag1 D7ES