FirstBlood-#833 — [BYPASS] Open URL Redirect on /drpanel/logout.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-29, buraaq Level 2 reported:
I have found a bypass to the Open redirect on
As we look at last hackevent's payload
//https:\/\/www.google.com. Patrice has tried to filter two consecutive
//to avoid OR but it can be bypassed easily by tab char
%09, but the browser ignores it and joins them.
Steps to reproduce
- As a logged in Doctor, click on the securely sign out button to logout.
- Notice the endpoint has a ref variable.
- If you submit the following payload, the application will redirect the user to the
urlprovided by the payload:
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.