FirstBlood-#357Open redirect via ref parameter on /drpanel/logout.php endpoint
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, panya Level 7 reported:

Steps to reproduce:

Visit this URL: https://579a3c7897af-panya.a.firstbloodhackers.com/drpanel/logout.php?ref=/%09/google.com (works in chromium-based browsers).

Actual result:

The user will be redirected to https://google.com

Expected result:

The ref parameter should allow redirection only to relative paths.

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /%09/google.com


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.