Open redirect on logout.php

FirstBlood-#940 — Open redirect on logout.php
This issue was discovered on FirstBlood v2

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2021-10-30, 0xblackbird Level 5 reported:


Hello! I've found a bypass to the previous fix of the open redirect on the logout.php page. I was able to bypass it using a url encoded tab character.
Proof of concept:
https://76d53d060ade-0xblackbird.a.firstbloodhackers.com/drpanel/logout.php?ref=%2F%09%2Fexample%2ecom
Steps to reproduce:

The previous payload (/\/example.com) didn't work, but we can easily replace the \ with a tab character. So, knowing this, we can visit the proof of concept URL: https://76d53d060ade-0xblackbird.a.firstbloodhackers.com/drpanel/logout.php?ref=%2F%09%2Fexample%2ecom.



You'll see that we get redirected to https://example.com:


Kind regards,

0xblackbird

This report has been publicly disclosed for everyone to view

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: %2F%09%2Fexample%2ecom

FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.

BugBountyHunter

Proof of concept:

Steps to reproduce: