FirstBlood-#413 — Open redirect at https://62f9cb44c755-0xconft.a.firstbloodhackers.com/drpanel/logout.php?ref=//http:evil.org
This issue was discovered on FirstBlood v2
On 2021-10-25, 0xconft Level 5 reported:
Hi there,
I notice that https://62f9cb44c755-0xconft.a.firstbloodhackers.com/drpanel/logout.php?ref=/ endpoint is still vulnerable to open redirect. Even though there's character removal for / and even translation of "/" -> ".". It's still vulnerable with this payload
//http:evil.org that will be reflected as
Location: http:evil.org
PoC redirect to evil.org
https://62f9cb44c755-0xconft.a.firstbloodhackers.com/drpanel/logout.php?ref=//http:evil.org
Impact of this vulnerability is this can be used for phsiing or for bypassing SSRF filter
Best Regards,
0xconft
P4 Low
Endpoint: /drpanel/logout.php?
Parameter: ref
Payload: //http:evil.org
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09
and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.