Open Redirect in octoprint/octoprint
Reported on
Apr 19th 2022
Description
Url redirection at the endpoint /login?next= which leads to redirect admin to malicious domain
Proof of Concept
Send this link to adminhttp://localhost:3000/login?next=http://evil.com
When he will open it and try to login the url will redirect to /evil.com
POC VIDEO
https://drive.google.com/file/d/1V2yxFFVGOYMNzCy6gPP2AAcfaUkSv6Yx/view?usp=sharing
Impact
Attacker can redirect admin to malicious domain.
References
I struggle right now to see how this could actually be abused apart from attempting to phish the admin. Can you elaborate on a potential vector that would justify the very high criticality you have set here?
@maintaine @foosel A attacker can send a phishing mail contain this url: http://localhost:3000/login?next=http://evil.com to the admin. When the admin will see the mail he will see that link is genuine and when he tried to login it can redirect to malicious website and it can harm the admin by downloading and executing any malicious file, also attacker can host phishing site same as octoprint and when admin will login via http://localhost:3000/login?next=http://octoprint_clone.com it will redirect to phishing site of octoprint and if once again admin tried to login then attacker will able to get admin credentials.
So a phishing attack surface, as I said. Considering that this would require an attacker to know that the target has OctoPrint on their local network, know the URL to that and get the target to click that link in an email from someone even though OctoPrint will never send emails to login somewhere, I find it very much unlikely that that would ever work. Getting the user to click on a link claiming to be the login but then actually going elsewhere would work with the same likelihood.
I'm not saying that I'm not going to still look into this, but I do definitely not agree with the severity of "critical". This is quite a convoluted scenario to even launch the attack successfully let alone have it go through and boils down more to successful social engineering (target clicks on spurious links from external sources targeting their internal services) than anything else really.
I'm happy to validate this with a low severity and agree that OctoPrint should not redirect to anything but its own base, which I'll fix.
Classifying this as CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N based on existing CVEs of a similar nature.
High complexity again - find instance with network access to it, find person with account on target, get them to click link, successfully complete a phishing attack. Given the nature of OctoPrint instances (they don't send emails, login links aren't commonly shared, instances are usually kept behind a NAT, host names are self administered etc), this is not low complexity.
Hello @maintainer @foosel you can see https://nvd.nist.gov/vuln/detail/CVE-2022-23102 it is similar as this report here they have mention severity as CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 6.1 medium
A fix has been prepared and will be rolled out with 1.8.0, which is planned to be released next week.