Alt Redirect for Statamic Query String Strip Bypass Vulnerability

A vulnerability exists in the Alt Redirect addon for Statamic, specifically in version 1.6.3. The issue arises because the 'Query String Strip' feature does not consistently remove query parameters, particularly those with case variations, double-encoded keys, or duplicates. This flaw allows attackers to bypass intended sanitization, potentially leading to cache poisoning, parameter pollution, or denial-of-service conditions.

Impact

Exploiting this vulnerability can cause cache poisoning, where different encoded or cased query parameters are treated as distinct keys, leading to inconsistent cache entries. It can also result in parameter pollution, disrupting routing or business logic, and causing malformed redirects, such as unexpected 404 responses. Additionally, if exploited at scale, it could exhaust server resources, causing a denial-of-service effect.

Reproduction

To reproduce this vulnerability, install Statamic and the Alt Redirect addon, ensuring that Alt Redirect version 1.6.3 is active. Create a redirect rule from '/old' to '/new' and enable the 'Query String Strip' feature for the 'utm_source' parameter. Then, send crafted HTTP GET requests to the '/old' URL using case-variant 'utm_source' keys, double-encoded underscores, or duplicate 'utm_source' parameters. The expected behavior is for the 'utm_source' parameter to be stripped and the redirect to '/new' to occur, but the vulnerability causes a 404 response instead.