FirstBlood-#357 — Open redirect via ref parameter on /drpanel/logout.php endpoint
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-25, panya reported:
Steps to reproduce:
Visit this URL: https://579a3c7897af-panya.a.firstbloodhackers.com/drpanel/logout.php?ref=/%09/google.com (works in chromium-based browsers).
The user will be redirected to https://google.com
refparameter should allow redirection only to relative paths.
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.