Open Redirect in forkcms/forkcms

Valid

Reported on

Oct 17th 2021


Description

When a user, who has access to admin page and who is not logged in, opens a page like http://forkcms.site/private/de/authentication?querystring=//google.de/ and the user enters their credentials, the user is redirected to https://google.de.

When a user, who has access to admin page and who is already logged in, opens the same page, the user will be automatically redirected to https://google.de.

There are different payloads which can be used here (listed below in the Proof of Concept part).

Proof of Concept

Open a page like this (replace forkcms.site with you own address).

http://forkcms.site/private/de/authentication?querystring=//google.de/
http://forkcms.site/private/de/authentication?querystring=/%5cgoogle.com
http://forkcms.site/private/de/authentication?querystring=//google%00.com

Impact

This way, an attacker could redirect the user to any page the attacker conrols.

We have contacted a member of the forkcms team and are waiting to hear back 7 months ago
Jelmer Prins validated this vulnerability 7 months ago
starkitsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jelmer Prins
2 months ago

Maintainer


fix is currently in review

Jelmer Prins confirmed that a fix has been merged on 77760a 2 months ago
Jelmer Prins has been awarded the fix bounty
to join this conversation