CVE-2022-41965 - Open Redirect in Opencast Paella Authentication – Exploitation, Impact, and Fix

Opencast is a widely used, open-source platform for managing educational audio and video content. Many universities and learning organizations rely on it for recording, processing, and distributing lecture videos. Like most web applications, Opencast's security is crucial to protect users and data.  

In November 2022, a security bug was discovered (CVE-2022-41965) affecting certain versions of Opencast. This vulnerability allowed attackers to craft URLs that redirect users to malicious websites simply by clicking a link on Opencast’s authentication page. Let’s break down what the vulnerability was, how it could be exploited, and how to fix it.

What is CVE-2022-41965?

CVE-2022-41965 describes an open redirect in the Paella authentication page of Opencast before version 12.5. An open redirect means an attacker can manipulate a link on your site to send users to any website they want after authentication, which is a common tactic for phishing attacks.

How Does the Vulnerability Work?

When users log in to Opencast through the Paella player’s authentication page, they are redirected to a next or redirect URL parameter that tells Opencast where to go afterward. The vulnerability? Opencast does not check if the new URL is internal or external.

So, an attacker could craft a link like this

https://evil.com/phishing" rel="nofollow">https://example-opencast.edu/paella/ui/login.html?next=https://evil.com/phishing

When a user logs in with this link, Opencast will send them to https://evil.com/phishing right after login. To a user, it looks like they’re just using Opencast as usual — but in reality, they're being sent to a malicious website. Attackers could set up a look-alike page to steal credentials or personal information.

1. Setting up the Attack

An attacker creates a phishing site:  
https://evil.com/phishing – maybe a fake Opencast login page.

The attacker then crafts a malicious link

https://opencast.university.edu/paella/ui/login.html?next=https://evil.com/phishing

The attacker sends this link to university students or staff via email

> "Your lecture videos are waiting! Please log in: [Malicious Link]"

They enter credentials on the real login page.

- As soon as they log in, Opencast redirects their browser to https://evil.com/phishing.
- The phishing site may display a fake “session expired, please log in again” page to trick users into entering credentials a second time.

4. Outcome

User data or credentials can now be stolen. If the phishing site serves malware, the user could get infected.

The vulnerable code would look something like this (simplified for illustration)

// Get the 'next' URL parameter
String next = request.getParameter("next");

// No validation!
response.sendRedirect(next);

What's wrong here?
This logic doesn’t check whether next is a safe, internal link. It just redirects to whatever URL is supplied.

A secure way is to check the next parameter for validity before redirecting

String next = request.getParameter("next");
if (next != null && next.startsWith("/")) {
    // Only allow redirects within the app
    response.sendRedirect(next);
} else {
    response.sendRedirect("/home");
}

> *Now, only internal redirects happen — external URLs get ignored!*

Malware: Users could be sent to download malicious files.

- User Disruption and Trust Damage: Attackers could target students, teachers, or staff, damaging trust in university IT.

The issue is fixed in Opencast 12.5 and newer

- Release Notes for v12.5

Fix and Mitigation

Upgrade Opencast!  
The Opencast team fixed this in version 12.5. All users are urged to upgrade as soon as possible.

Disable external authentication redirects (if possible)

- Add web server rules (like with nginx or Apache) to block requests with external URLs in next parameters

More Information

- Opencast Security Advisories
- CVE-2022-41965 at NVD
- Opencast 12.5 Release Notes (Security)

Final Thoughts

CVE-2022-41965 is a good reminder that even a simple redirect feature can become a big security risk if not handled correctly. Always check your URL parameters, validate user input, and keep your web apps patched and up to date!

If you're running Opencast before 12.5, upgrade now — and stay safe from phishing and open redirect attacks.


*Post exclusive for your reference. Feel free to share with your IT team!*

Timeline

Published on: 11/28/2022 21:15:00 UTC
Last modified on: 12/01/2022 23:14:00 UTC