FirstBlood-#940 — Open redirect on logout.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)
On 2021-10-30, 0xblackbird reported:
Hello! I've found a bypass to the previous fix of the open redirect on the logout.php page. I was able to bypass it using a url encoded tab character.
Proof of concept:
Steps to reproduce:
- The previous payload (
/\/example.com) didn't work, but we can easily replace the
\with a tab character. So, knowing this, we can visit the proof of concept URL: https://76d53d060ade-0xblackbird.a.firstbloodhackers.com/drpanel/logout.php?ref=%2F%09%2Fexample%2ecom.
- You'll see that we get redirected to https://example.com:
FirstBlood ID: 18
Vulnerability Type: Open Redirect
The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as
%09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.