FirstBlood-#92 — Open redirect at http://firstbloodhackers.com:49330/drpanel/logout.php
This report has been reviewed and accepted as a valid vulnerability on FirstBlood!
On 2021-05-10, 0xconft reported:
I found an open redirect on your website at /drpanel/logout.php endpoint on ref parameter. There's filter in place where it must start with / and also // is filtered but i end up bypassing this with this payload "/\/evil.org" which will be reflected as "//evil.org" at location header thus will redirect victim to evil.org. An example of impact caused by this vulnerability is this vulnerability can be combined with SSRF attack to bypassing filter or it can be used for phising.
GET /drpanel/logout.php?ref=/\/evil.org HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept-Encoding: gzip, deflate
HTTP/1.1 302 Found
Date: Mon, 10 May 2021 06:19:01 GMT
Content-Type: text/html; charset=UTF-8
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
This report has been publicly disclosed for everyone to view
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.
Respect Earnt: 1000000
is an experimental cryptocurrency based on the Ethereum blockchain with the mission to show respect to those who deserve it. We are testing it out on our FirstBlood hackevent.