FirstBlood-#259 — CWE-601 Open Redirect on GET /drpanel/logout.php via ref param
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-15, jpdev reported:
The ref= parameter on the logout.php page within the drpanel is vulnerable to an open redirect.
GET /drpanel/logout.php?ref=/\/google.com/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
Additional Reading containing explanation and mitigiations
This report has been publicly disclosed for everyone to view
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.
Respect Earnt: 1000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.