FirstBlood-#842 — Open Redirect on login.php with goto parameter
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-29, xnl-h4ck3r reported:
There is an open redirect on
gotoparameter that is not sanitised correctly, allowing an attacker to redirect a user to their site after login has happened. The parameter is also vulnerable to XSS (reported previously) which is more critical, but this is classed as a separate vulnerability.
Steps to reproduce
- Go to the endpoint
/login.php?goto=//attacker.comand enter the login details.
- Press SECURE LOGIN and observe the user is redirected to a different site.
Although this has lower impact that the XSS vulnerability on the same endpoint and parameter, this needs to be addressed separately. An attacker can craft a login link for a victim that will redirect them to the attackers site once logged in.
Even though this issue has been accepted as valid, no FirstBlood ID has been set for this report.