FirstBlood-#278Open redirect in logout function



On 2021-05-15, YouGina reported:

Summary

There is an open URL redirect vulnerability in the logout functionality of this application. This allows the attacker to redirect a user to any url of choice.

Steps to reproduce

An attacker can provide the following link to a victim to exploit this vulnerability. The victim will be forwarded to attacker.com:

http://firstbloodhackers.com:49766/drpanel/logout.php?ref=/\/attacker.com/

Additional details:

To be complete I have been able to identify three bypass techniques to exploit this vulnerability:

Using these payloads in the url will look like:

  • http://firstbloodhackers.com:49766/drpanel/logout.php?ref=%2f%5c%2fexample%2ecom%2f
  • http://firstbloodhackers.com:49766/drpanel/logout.php?ref=%2f%09%2fexample%2ecom
  • http://firstbloodhackers.com:49766/drpanel/logout.php?ref=%2f%2fhttps%3a%2f%2fexample%2ecom%2f%2f

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref=

Payload: /\/attacker.com/


FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.