FirstBlood-#940Open redirect on logout.php
This issue was discovered on FirstBlood v2.0.0 (issues patched)



On 2021-10-30, 0xblackbird Level 4 reported:

Hello! I've found a bypass to the previous fix of the open redirect on the logout.php page. I was able to bypass it using a url encoded tab character.

Proof of concept:

https://76d53d060ade-0xblackbird.a.firstbloodhackers.com/drpanel/logout.php?ref=%2F%09%2Fexample%2ecom

Steps to reproduce:

Kind regards,
0xblackbird

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: %2F%09%2Fexample%2ecom


FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.