FirstBlood-#564Open redirect inside drpanel/logout.php endpoint
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-26, neolex Level 2 reported:

Description

There is an open redirect inside the following url : https://8745a5db48cf-neolex.a.firstbloodhackers.com/drpanel/logout.php?ref=/%09/evil.com The value of ref is reflected inside Location header.

The payload must starts with / but // (two slashs) is filtered, you can bypass this filter by adding a tab %09 between both slash. So using the following payload: /%09/evil.com the attacker can redirect user to evil.com

Step to reproduce

Impact

The impact of this open redirection is that attacker can redirect the user to another webstie. It can be useful for phishing.

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /%09/evil.com


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.