FirstBlood-#382 — Logout.php is still vulnearble to Open Redirect
This issue was discovered on FirstBlood v2
On 2021-10-25, kinako reported:
Dear FirstBlood security team, I found a vulnerability on your service.
I hope this report will help you.
ref param is vulnerable to Open Redirect.
First of all,
/drpanel/logout.php has the
ref param to redirect users.
The firstblood server-side seems to sanitize its value but it can be bypassed by payload above.
This value will make victim go to Google top page via 302 Found.
- normal users can be redirected to malicious website prepared by the attackers
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.