FirstBlood-#718 — Open redirect by logout.php
This issue was discovered on FirstBlood v2
On 2021-10-27, newrouge Level 3 reported:
Hey, i found that endpoint /drpanel/logou.php?ref= is still vulnerable to Open redirect.
Developer seemed to have made some fixes to stop redirect. But it's still vulnerable to open redirect with bypasses.
payloads like \/\/google.com are filtered unlike previous time, but
/%09/google.combypasses the filter.
Send this url https://07fd5a4e51cb-newrouge.a.firstbloodhackers.com/drpanel/logout.php?ref=%2f%0d%2fgoogle.com to victim and he will be redirected to google.com.
PS: This payload works fine on Chrome, Chromium, Brave and IE but *not on Firefox**
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.