FirstBlood-#1166Open redirect on logout remained unpatched
This issue was discovered on FirstBlood v3



On 2022-12-08, 0xblackbird Level 5 reported:

Summary:

Hi!

I found out that the open redirect remained unfixed since the previous hackevent!

Possible Cause:

The issue remained unfixed from the previous version of firstblood. It didn't properly validate user input before as it only looked for if the redirect URL starts with a / char.

Impact:

I'm able to redirect any user from a trusted host to any other external host.

Steps to reproduce:

Proof of Concept URL: /drpanel/logout.php?ref=%2F%09%2Fexample%2ecom

1) Visit the PoC above (it does not really matter whether you're authenticated or not) 2) You'll notice that you got redirected to https://example.com

Mitigation:

I recommend using a strong regex pattern or implementing a whitelist-based approach.

Have a nice day!

Kind regards, 0xblackbird

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: %2F%09%2Fexample%2ecom


FirstBlood ID: 68
Vulnerability Type: Open Redirect

The open redirect on /drpanel/logout.php remains unfixed