FirstBlood-#535Open Redirect on /drpanel/logout.php?ref=
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, th4nu0x0 Level 2 reported:

Summary:

The ref parameter is still vulnerable to open redirect on /drpanel/logout.php it turns out that fix was not sufficient and I was able to bypass the fix by adding %09. ​ ​

Payload:

  • /drpanel/logout.php?ref=/%09/google.com

Steps To Reproduce:

Impact:

Open redirects can be used in phishing attacks to trick users into thinking that they visiting legitimate website.

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /%09/google.com


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.