Talos Vulnerability Report


phpGACL return_page redirection open redirect vulnerability

January 27, 2021
CVE Number



An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7. A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability.

Tested Versions

OpenEMR 5.0.2
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)
phpGACL 3.3.7

Product URLs


CVSSv3 Score

6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N


CWE-601 - URL Redirection to Untrusted Site (‘Open Redirect’)


phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List.

The latest version of this library has been found to be used in OpenEMR, as such the tests have been performed against an OpenEMR instance.

The file gacl_admin_api.class.php (in OpenEMR this has been renamed to Gacl/GaclAdminApi.php) defines a return_page function that is supposed to be used to redirect an admin user to a specified page:

function return_page($url="") {
    global $_SERVER, $debug;

    if (empty($url) AND !empty($_SERVER[HTTP_REFERER])) {
        $this->debug_text("return_page(): URL not set, using referer!");
        $url = $_SERVER[HTTP_REFERER];

    if (!$debug OR $debug==0) {
        header("Location: $url\n\n");             [1]
    } else {
        $this->debug_text("return_page(): URL: $url -- Referer: $_SERVER[HTTP_REFERRER]");

At [1] we can see that the $url passed as argument is used in the location header without any sanitization.

As an example, one instance where this function is used is in admin/acl_list.php:

switch ($_GET['action']) {
    case 'Delete':

        if (is_array ($_GET['delete_acl']) AND !empty($_GET['delete_acl'])) {
            foreach($_GET['delete_acl'] as $id) {

        //Return page.
        $gacl_api->return_page($_GET['return_page']);   [2]

The return_page variable is controllable the query string [2], meaning that an attacker could supply a malicious link to the phpGACL instance, which eventually will redirect the user to an arbitrary location controlled by the attacker. This can be abused to conduct phishing attacks and steal credentials.

Additionally, the return_page function should either call exit() or die() before returning, otherwise execution would continue, which could result in unexpected behavior.

Exploit Proof of Concept

The issue above has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL.

An attacker could send the following link to an admin user to reproduce:


Clicking on this link will redirect the user to an arbitrary page (in this example “http://open-emr.org”).


2020-10-21 - Vendor Disclosure
2021-01-05 - Vendor Patched
2021-01-27 - Public Release


Discovered by Claudio Bozzato of Cisco Talos.