FirstBlood-#382 — Logout.php is still vulnearble to Open Redirect
This issue was discovered on FirstBlood v2
On 2021-10-25, kinako Level 5 reported:
Dear FirstBlood security team, I found a vulnerability on your service.
I hope this report will help you.
Summary
The ref
param is vulnerable to Open Redirect.
Vulnerability Description(PoC)
First of all, /drpanel/logout.php
has the ref
param to redirect users.
The firstblood server-side seems to sanitize its value but it can be bypassed by payload above.
?ref=/%09/www.google.com
This value will make victim go to Google top page via 302 Found.
Impact
- normal users can be redirected to malicious website prepared by the attackers
Regards,
kinako
P4 Low
Endpoint: /drpanel/logout.php
Parameter: ref
Payload: ?ref=/%09/www.google.com
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09
and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.