FirstBlood-#940Open redirect on logout.php
This issue was discovered on FirstBlood v2

On 2021-10-30, 0xblackbird Level 5 reported:

Hello! I've found a bypass to the previous fix of the open redirect on the logout.php page. I was able to bypass it using a url encoded tab character.

Proof of concept:

Steps to reproduce:

Kind regards,

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: %2F%09%2Fexample%2ecom

FirstBlood ID: 18
Vulnerability Type: Open Redirect

The open redirect bug on logout.php was fixed but the code still failed to filter out certain characters such as %09 and thus the endpoint is still vulnerable to open redirect. This vulnerability only affects chrome.