FirstBlood-#47Open redirect on the logout.php endpoint [COLLAB]
This issue was discovered on FirstBlood v1

On 2021-05-09, holybugx Level 5 reported:


Hi Sean,

I just found out that there is an open redirect vulnerability on the /drpanel/logout.php endpoint using the ref parameter.

That enables an attacker to redirects the admin/users to the domain he wants.

Steps To Reproduce

There were some protections and filtering around the ref parameter, seems like // were filtered out and you would have been redirected to /, however, using /\/ I was able to bypass the filter and redirect the user to another domain

You can use the following payload to reproduce this redirect to your own domain:



I wasn't able to find any SSO tokens or similar in the URL that could be potentially leaked using this open redirect, for now, the impact is just simply redirecting the user to another domain of attacker and doing phishing, however, keeping that in mind I will try to use that, later on, to bypass some protections over higher impact bugs such as SSRF.

Kind Regards,


P4 Low

Endpoint: /drpanel/logout.php?ref=/

Parameter: ref

Payload: /\/

FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.