Moderate severityNVD Advisory· Published Oct 24, 2013· Updated Apr 29, 2026

CVE-2013-4390

Description

Open redirect vulnerability in the AbstractAuthenticationFormServlet in the Auth Core (org.apache.sling.auth.core) bundle before 1.1.4 in Apache Sling allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the resource parameter, related to "a custom login form and XSS."

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.sling:org.apache.sling.auth.coreMaven	< 1.1.4	1.1.4

Affected products

Apache/Sling
cpe:2.3:a:apache:sling:*:*:*:*:*:*:*:*
Apache/Sling Auth Core Component5 versions
cpe:2.3:a:apache:sling_auth_core_component:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:apache:sling_auth_core_component:*:*:*:*:*:*:*:*range: <=1.1.2
- cpe:2.3:a:apache:sling_auth_core_component:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:sling_auth_core_component:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:sling_auth_core_component:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:sling_auth_core_component:1.1.0:*:*:*:*:*:*:*

Patches

d1cd9aaa3432

SLING-3141 : AbstractAuthenticationFormServlet should make sure resource is a valid redirect

https://github.com/apache/sling-org-apache-sling-auth-coreCarsten ZiegelerOct 1, 2013via ghsa

commit

1 file changed · +45 −7

src/main/java/org/apache/sling/auth/core/spi/AbstractAuthenticationFormServlet.java+45 −7 modified

@@ -130,15 +130,49 @@ protected String getForm(final HttpServletRequest request)
             throws IOException {
         String form = getRawForm();
 
-        form = form.replace("${resource}", escapeXml(getResource(request)));
-        form = form.replace("${j_reason}", escapeXml(getReason(request)));
-        form = form.replace("${requestContextPath}", escapeXml(getContextPath(request)));
-        form = form.replace("${contextPath}", escapeXml(request.getContextPath()));
+        final String resource = cleanse(request, getResource(request));
+        final String reason = getReason(request);
+        final String resourceContextPath = cleanse(request, getContextPath(request));
+        final String contextPath = request.getContextPath();
+
+        // replace form placeholders with checked and filtered values
+        form = form.replace("${resource}", escape(resource));
+        form = form.replace("${j_reason}", escape(reason));
+        form = form.replace("${requestContextPath}", escape(resourceContextPath));
+        form = form.replace("${contextPath}", escape(contextPath));
 
         return form;
     }
 
-    private static String escapeXml(final String input) {
+    /**
+     * Makes sure the given {@code target} is not pointing to some absolute
+     * location outside of the given {@code request} context. If so, the target
+     * must be ignored and an empty string is returned.
+     * <p>
+     * This method uses the
+     * {@link AuthUtil#isRedirectValid(HttpServletRequest, String)} method.
+     *
+     * @param request The {@code HttpServletRequest} to test the {@code target}
+     *            against.
+     * @param target The target location (URL) to test for validity.
+     * @return The target location if not pointing outside of the current
+     *         request or an empty string.
+     */
+    private static String cleanse(final HttpServletRequest request, final String target) {
+        if (target.length() > 0 && !AuthUtil.isRedirectValid(request, target)) {
+            return "";
+        }
+        return target;
+    }
+
+    /**
+     * Escape the output.
+     * This method does a simple XML escaping for '<', '>' and '&'
+     * and also escapes single and double quotes.
+     * As these characters should never occur in a url this encoding should
+     * be fine.
+     */
+    private static String escape(final String input) {
         if (input == null) {
             return null;
         }
@@ -148,10 +182,14 @@ private static String escapeXml(final String input) {
             final char c = input.charAt(i);
             if(c == '&') {
                 b.append("&amp;");
-            } else if(c == '<') {
+            } else if (c == '<') {
                 b.append("&lt;");
-            } else if(c == '>') {
+            } else if (c == '>') {
                 b.append("&gt;");
+            } else if (c == '"') {
+                b.append("%22");
+            } else if (c == '\'') {
+                b.append("%27");
             } else {
                 b.append(c);
             }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4qdFxEW9NXBJoMsrBama8LFNyir%2B61A0Vfzp4njEpeU%3Dw%40mail.gmail.com%3EnvdVendor AdvisoryWEB
secunia.com/advisories/55249nvdVendor AdvisoryWEB
github.com/advisories/GHSA-j7f2-cqvq-5jcfghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-4390ghsaADVISORY
www.securityfocus.com/bid/63241nvdWEB
github.com/apache/sling-org-apache-sling-auth-core/commit/d1cd9aaa3432d577b65c50b3fbdc36d5d667ca46ghsaWEB
issues.apache.org/jira/browse/SLING-3141nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000