FirstBlood-#47Open redirect on the logout.php endpoint [COLLAB]



On 2021-05-09, holybugx reported:

Description

Hi Sean,

I just found out that there is an open redirect vulnerability on the /drpanel/logout.php endpoint using the ref parameter.

That enables an attacker to redirects the admin/users to the domain he wants.

Steps To Reproduce

There were some protections and filtering around the ref parameter, seems like // were filtered out and you would have been redirected to /, however, using /\/ I was able to bypass the filter and redirect the user to another domain

You can use the following payload to reproduce this redirect to your own domain:

/drpanel/logout.php?ref=/\/attacker.com

Impact

I wasn't able to find any SSO tokens or similar in the URL that could be potentially leaked using this open redirect, for now, the impact is just simply redirecting the user to another domain of attacker and doing phishing, however, keeping that in mind I will try to use that, later on, to bypass some protections over higher impact bugs such as SSRF.

Kind Regards,

HolyBugx

P4 Low

Endpoint: /drpanel/logout.php?ref=/

Parameter: ref

Payload: /\/attacker.com


FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.