FirstBlood-#816Open Redirect on logout.php using ref parameter
This issue was discovered on FirstBlood v2



On 2021-10-28, xnl-h4ck3r Level 4 reported:

Summary

There is an open url redirect vulnerability on /drpanel/logout.php usign the ref parameter. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed. The vulnerability existed in version 1, but could be bypassed using /\/attacker.com for example. This has been fixed, but a bypass is still possible.

Steps to reproduce

IMPORTANT: This payload works in Chrome and IE, but not in Firefox for some reason

  1. Setting the ref parameter to /%09/attacker.com will result in a Location header of / /attacker.com

  2. Visit the endpoint /drpanel/logout.php?ref=/%09/attacker.com and observe that you will be redirected to attacker.com.

Impact

As this is on a logout, there is no SSO token or anything that can be leaked. The only impact is that an attacker can make a victim redirect to any other site if they click the attackers link.

P4 Low

Endpoint: /logout.php

Parameter: ref

Payload: /%09/attacker.com


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.