Parameter Based Redirection

Portal version 21.2.0 and later provides a solution that prevents the security risk of parameter based redirection.

What is Parameter Based Redirection?

Portal uses forms authentication. This means, when a user navigates to a page that requires authentication, the user is redirected to the login.aspx page. The login page prompts the user for username and password. These credentials are passed to the web server and validated against an SQL database. For an authenticated user, the web server returns an authentication ticket that is encoded into the URL in the "ReturnUrl" parameter.

The "ReturnUrl" parameter on the Student Portal login page can be modified and replaced with any destination web site. Upon visiting a modified URL, the browser will first be directed to the "Login.aspx" page served by the web server, and the user will be prompted for credentials. Upon successful login, the user will then be directed to the modified URL that was placed in the "ReturnUrl" parameter. ​

Example:

After logging in at the URL below, the user will be directed to google.com. The string "https%3a%2f%2fgoogle.com" can be modified to redirect the user to any destination.

https://studentsts-<domain>/Login.aspx?ReturnUrl=https%3a%2f%2fgoogle.com&wa=wsignin1.0&wtrealm=https%3a%2f%2fsisportal-<domain>%2fCMCPortal%2f&wct=2019-08-29T14%3a21%3a29Z&wctx=rm%3d0%26id%3dpassive%26ru%3dsecure%2fstudent%2fstuportal.aspx&AppType=Portal&Role=STUDENT​

This represents a risk as a crafted URL such as the one above can be more enticing when used for phishing attempts because it is served from the <domain>. This may result in a high success rate directing legitimate users to a fake version of the <domain> site where code can be executed in the victim's browser or sensitive information can be harvested.​

Whitelisting of URLs

To prevent the security vulnerability of parameter based redirection, "whitelisting" was added in the Security Token Services (STS) component so that users cannot be redirected when accessing the Portal due to phishing attempts. The URLs used by the STS are stored in the wpURL table and are whitelisted (trusted) by default. For a typical Portal deployment, nothing else needs to be done by Portal administrators.

If any additional URLs use the Student STS for authentication, the associated hostnames need to be added to wpURL table.

Example:

When Portal is used with Forms Builder, the Forms Builder URLs need to be added to the wpURL table. Since users can be redirected from the STS to Forms Builder, the Forms Builder URLs must also be in the wpURL table. Previously, the Forms Builder URLs were managed manually through the database. Now, users can modify the wpURL table through the Portal Admin Console.

Add Trusted URLs to the wpURL Table

  1. Using Internet Explorer, log in to the Portal Admin Console.

  2. Click the Urls link in the Settings and Environment section to edit Urls in the wpURL table. The Urls page is displayed.

    Console - URLs config

  3. In the Sites drop-down list, select your portal site name.

  4. Click the Edit button. The URLs field is now editable.

  5. In the URLs field, specify a semi-colon separated list of trusted hostnames (along with port numbers if applicable) for your site.

  6. Click Save. The following message is displayed:

    Console - URLs config

Whitelist URLs for External Application Integrations Using Student STS

With Portal version 21.2.0 , the changes made to product to handle the security vulnerability will affect other product or external integrations that use the Student STS.

We provided a way to add URLs to the whitelist using an appSetting in the CMCPortalSTS web.config file.

To add URLs to be whitelisted, specify semi colon separated URL values in this appSetting:

<add key="WhiteListedUrls" value="domain.com;abc.edu" />

Note: For Azure hosted environments, if the configuration is to be updated to whitelist additional URLs, please reach out to Anthology Inc. Cloud Services .