FirstBlood-#413Open redirect at https://62f9cb44c755-0xconft.a.firstbloodhackers.com/drpanel/logout.php?ref=//http:evil.org
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-25, 0xconft Level 5 reported:

Hi there,

I notice that https://62f9cb44c755-0xconft.a.firstbloodhackers.com/drpanel/logout.php?ref=/ endpoint is still vulnerable to open redirect. Even though there's character removal for / and even translation of "/" -> ".". It's still vulnerable with this payload //http:evil.org that will be reflected as

Location: http:evil.org

PoC redirect to evil.org

https://62f9cb44c755-0xconft.a.firstbloodhackers.com/drpanel/logout.php?ref=//http:evil.org

Impact of this vulnerability is this can be used for phsiing or for bypassing SSRF filter

Best Regards, 0xconft

P4 Low

Endpoint: /drpanel/logout.php?

Parameter: ref

Payload: //http:evil.org


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.