FirstBlood-#357Open redirect via ref parameter on /drpanel/logout.php endpoint
This issue was discovered on FirstBlood v2

On 2021-10-25, panya Level 7 reported:

Steps to reproduce:

Visit this URL: (works in chromium-based browsers).

Actual result:

The user will be redirected to

Expected result:

The ref parameter should allow redirection only to relative paths.

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /%09/

FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.