FirstBlood-#354 — Open Redirect on /logout.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, 0x1452 Level 3 reported:
GET /drpanel/logout.php?ref=...is vulnerable to an Open Redirect, caused by the
In the previous version this was exploitable by setting
/\/evil.com. However, this time backslashes get replaced with a period (
.). To bypass this fix, an attacker can simply use a tab (
To reproduce this navigate to
/drpanel/logout.php?ref=/%09/example.comand notice that it successfully redirects to example.com:
The tab will be ignored by the browser.
There are multiple ways Open Redirects can be abused by attackers. In the worst case they could be used to steal OAuth tokens or bypass certain whitelist filters (e.g. for SSRF). They could also be used to redirect victims to phishing sites. Using your domain as the first link will make it look more convincing to people who aren't careful.
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.