FirstBlood-#842Open Redirect on login.php with goto parameter
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-29, xnl-h4ck3r Level 4 reported:

I realised I have submitted Report #432 for open redirect on the same endpoint but using the javascript schema. I wasn't completely sure if this open redirect is classed as the same bug, or a separate bug.

Summary

There is an open redirect on /login/php using the goto parameter that is not sanitised correctly, allowing an attacker to redirect a user to their site after login has happened. The parameter is also vulnerable to XSS (reported previously) which is more critical, but this is classed as a separate vulnerability.

Steps to reproduce

  1. Go to the endpoint /login.php?goto=//attacker.com and enter the login details.
  2. Press SECURE LOGIN and observe the user is redirected to a different site.

Impact

Although this has lower impact that the XSS vulnerability on the same endpoint and parameter, this needs to be addressed separately. An attacker can craft a login link for a victim that will redirect them to the attackers site once logged in.

P5 Informative

Endpoint: /login/php

Parameter: goto

Payload: //attacker.com

Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.

Report Feedback

@zseano

Creator & Administrator


Hi there, the intended bug for this was actually XSS as the redirect occurs via JS if you check the source and has more impact than the open redirect. You're right it's also vulnerable to open redirect so I won't reject but also won't assign any ID as no XSS demonstrated here :)