FirstBlood-#354Open Redirect on /logout.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, 0x1452 Level 3 reported:

Hey!

Summary

The endpoint GET /drpanel/logout.php?ref=... is vulnerable to an Open Redirect, caused by the ref parameter.

In the previous version this was exploitable by setting ref to /\/evil.com. However, this time backslashes get replaced with a period (.). To bypass this fix, an attacker can simply use a tab (%09) instead.

To reproduce this navigate to /drpanel/logout.php?ref=/%09/example.com and notice that it successfully redirects to example.com:

The tab will be ignored by the browser.

Impact

There are multiple ways Open Redirects can be abused by attackers. In the worst case they could be used to steal OAuth tokens or bypass certain whitelist filters (e.g. for SSRF). They could also be used to redirect victims to phishing sites. Using your domain as the first link will make it look more convincing to people who aren't careful.

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /%09/evil.com


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.