FirstBlood-#47 — Open redirect on the logout.php endpoint [COLLAB]
This issue was discovered on FirstBlood v1
On 2021-05-09, holybugx reported:
I just found out that there is an open redirect vulnerability on the
/drpanel/logout.php endpoint using the
That enables an attacker to redirects the admin/users to the domain he wants.
Steps To Reproduce
There were some protections and filtering around the
ref parameter, seems like
// were filtered out and you would have been redirected to
/, however, using
/\/ I was able to bypass the filter and redirect the user to another domain
You can use the following payload to reproduce this redirect to your own domain:
I wasn't able to find any SSO tokens or similar in the URL that could be potentially leaked using this open redirect, for now, the impact is just simply redirecting the user to another domain of attacker and doing phishing, however, keeping that in mind I will try to use that, later on, to bypass some protections over higher impact bugs such as SSRF.
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.