Ensure Contextual Search Do Not Contain An Unvalidated Redirect [New in Security Center 7.0]
Prevent Contextual Search results from containing referral links outside the current domain with a system property.
The Contextual Search plugin displays search results in a new window using the cxs_new_window UI page. This UI page contains a referral link which can be set by providing a value to sysparm_url. When the com.snc.contextual_search.cxs_new_window.force_relative_link system property is set to true, sysparm_url can only contain links that are relative to the current domain. This restriction prevents the UI page from being used as an unvalidated redirect to an attacker-controlled website. When the property is set to false, sysparm_url can link to any website.
Set the com.snc.contextual_search.cxs_new_window.force_relative_link property to true. If the property doesn’t exist on the System Properties [sys_properties] table, the default value is false. If the property exists on the table, it defaults to true.
More information
| Attribute | Description |
|---|---|
| Configuration name | com.snc.contextual_search.cxs_new_window.force_relative_link |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | Boolean |
| Recommended value | true |
| Default value | true |
| Fallback value | false |
| Category | Validation, sanitization, and encoding |
| Security risk |
|
| Functional impact | When set to true, sysparm_url is only allowed to contain links that are relative to the current domain. This restriction means that the UI page can only ever link to web pages on the current domain. However, the UI page is meant to display search results from the current domain and should only ever link to the current domain. |
| Dependencies and prerequisites | The Contextual Search (com.snc.contextual_search) plugin must be active. |
To learn more about adding or creating a system property, see Add a system property.