6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000163

GHSA ID

GHSA-cmfh-8f8r-fj96

EPSS Score

0.81931%

CWE

CWE-601

Published

4/12/2022

Updated

9/7/2023

KEV Status

Technology

Erlang

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-1000163

CVE-2017-1000163: Phoenix Arbitrary URL Redirect

The Phoenix team designed Phoenix.Controller.redirect/2 to protect against redirects allowing user input to redirect to an external URL where your application code otherwise assumes a local path redirect. This is why the :to option is used for “local” URL redirects and why you must pass the :external option to intentionally allow external URLs to be redirected to. It has been disclosed that carefully crafted user input may be treated by some browsers as an external URL. An attacker can use this vulnerability to aid in social engineering attacks. The most common use would be to create highly believable phishing attacks. For example, the following user input would pass local URL validation, but be treated by Chrome and Firefox as external URLs: http://localhost:4000/?redirect=/\nexample.com Not all browsers are affected, but latest Chrome and Firefox will issue a get request for example.com and successfully redirect externally

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000163

GHSA ID

GHSA-cmfh-8f8r-fj96

EPSS Score

0.81931%

CWE

CWE-601

Published

4/12/2022

Updated

9/7/2023

KEV Status

Technology

Erlang

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phoenix	erlang	< 1.0.6	1.0.6
phoenix	erlang	>= 1.1.0, < 1.1.8	1.1.8
phoenix	erlang	>= 1.2.0, < 1.2.3	1.2.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability directly stems from Phoenix.Controller.redirect/2's handling of the :to parameter, as explicitly stated in the advisory. The function's security boundary between local (:to) and external (:external) redirects was bypassable via newline injection. The temporary fix provided in the Elixir forum post specifically overrides this function to add newline detection, confirming its central role in the vulnerability. The file path is standard for Phoenix's controller implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** P*o*nix t**m **si*n** `P*o*nix.*ontroll*r.r**ir**t/*` to prot**t ***inst r**ir**ts *llowin* us*r input to r**ir**t to *n *xt*rn*l URL w**r* your *ppli**tion *o** ot**rwis* *ssum*s * lo**l p*t* r**ir**t. T*is is w*y t** `:to` option is us** *or “l

Reasoning

T** vuln*r**ility *ir**tly st*ms *rom `P*o*nix.*ontroll*r.r**ir**t/*`'s **n*lin* o* t** :to p*r*m*t*r, *s *xpli*itly st*t** in t** **visory. T** *un*tion's s**urity *oun**ry **tw**n lo**l (:to) *n* *xt*rn*l (:*xt*rn*l) r**ir**ts w*s *yp*ss**l* vi* n*

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-1000163: Phoenix Arbitrary URL Redirect

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI