Replies: 5 comments
-
|
As this is an open source project no need to be discussed in private. |
Beta Was this translation helpful? Give feedback.
-
|
Sure. Vulnerability Type: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') https://cwe.mitre.org/data/definitions/601.htmlDescription:The url parameter can be added to the URL of the /login.php page, which allows a redirection to any arbitrary page after pressing the login button with valid credentials. Proof of ConceptAn attacker can prepare a URL such as this: http://localhost:8000/login.php?url=http://wikipedia.org. This will lead the victim to any site that is input after the url parameter, such as http://wikipedia.org after trying to log in with valid credentials. This is because of the following code in login.php: }elseif($_GET['url']){
$redirect = $_GET['url'];
}else{
$redirect = '/index.php';
}
header('Location: '.$redirect);After pressing the login button, the user gets redirected to the unsanitized parameter url. FixIf not needed, remove the user-controlled redirect parameter url. If it is needed that a user can control the redirect make sure to sanitize the input. |
Beta Was this translation helpful? Give feedback.
-
|
This is actually needed in order to redirect to the previous url if the session is expired. This is particularly in use (but not limited to) in the formula making page. |
Beta Was this translation helpful? Give feedback.
-
|
Okay, I provided a way to validate the input so that the redirect can only be internal in #86. This shouldn't break the mentioned functionality, if I understand correctly. |
Beta Was this translation helpful? Give feedback.
-
|
Briefly testing this, breaks the redirection to the original url, needs further testing. |
Beta Was this translation helpful? Give feedback.
-
Hello,
I've discovered a potential security issue in your project. Could you please provide a secure method of contact to discuss it privately?
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions