FirstBlood-#134Open redirect on /drpanel/logout.php
This issue was discovered on FirstBlood v1



On 2021-05-10, 0xblackbird Level 5 reported:

Hello! I found an open redirect on logout.php. So far, I wasn't unfortunately been able to escalate it unfortunately. But if I do find another way to escalate this issue, I will make sure to update this report.

Proof of concept url

http://firstbloodhackers.com:49422/drpanel/logout.php?ref=/\/example.com

Steps to reproduce

  • Visit the proof of concept url, /drpanel/logout.php?ref=/\/example.com
  • You'll see that it will redirect us to https://example.com . This happend because the filter checks for several things but not the host.

Have a nice day!

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /\/example.com


FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.