Open Redirect in octoprint/octoprint

Valid

Reported on

Apr 19th 2022


Description

Url redirection at the endpoint /login?next= which leads to redirect admin to malicious domain

Proof of Concept

Send this link to adminhttp://localhost:3000/login?next=http://evil.com

When he will open it and try to login the url will redirect to /evil.com

POC VIDEO

https://drive.google.com/file/d/1V2yxFFVGOYMNzCy6gPP2AAcfaUkSv6Yx/view?usp=sharing

Impact

Attacker can redirect admin to malicious domain.

References

We are processing your report and will contact the octoprint team within 24 hours. 2 months ago
We have contacted a member of the octoprint team and are waiting to hear back 2 months ago
octoprint/octoprint maintainer has acknowledged this report 2 months ago
Gina Häußge
2 months ago

I struggle right now to see how this could actually be abused apart from attempting to phish the admin. Can you elaborate on a potential vector that would justify the very high criticality you have set here?

Raj
2 months ago

Researcher


@maintaine @foosel A attacker can send a phishing mail contain this url: http://localhost:3000/login?next=http://evil.com to the admin. When the admin will see the mail he will see that link is genuine and when he tried to login it can redirect to malicious website and it can harm the admin by downloading and executing any malicious file, also attacker can host phishing site same as octoprint and when admin will login via http://localhost:3000/login?next=http://octoprint_clone.com it will redirect to phishing site of octoprint and if once again admin tried to login then attacker will able to get admin credentials.

Gina Häußge
2 months ago

So a phishing attack surface, as I said. Considering that this would require an attacker to know that the target has OctoPrint on their local network, know the URL to that and get the target to click that link in an email from someone even though OctoPrint will never send emails to login somewhere, I find it very much unlikely that that would ever work. Getting the user to click on a link claiming to be the login but then actually going elsewhere would work with the same likelihood.

I'm not saying that I'm not going to still look into this, but I do definitely not agree with the severity of "critical". This is quite a convoluted scenario to even launch the attack successfully let alone have it go through and boils down more to successful social engineering (target clicks on spurious links from external sources targeting their internal services) than anything else really.

I'm happy to validate this with a low severity and agree that OctoPrint should not redirect to anything but its own base, which I'll fix.

Gina Häußge modified the report
2 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Gina Häußge validated this vulnerability 2 months ago

Classifying this as CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N based on existing CVEs of a similar nature.

High complexity again - find instance with network access to it, find person with account on target, get them to click link, successfully complete a phishing attack. Given the nature of OctoPrint instances (they don't send emails, login links aren't commonly shared, instances are usually kept behind a NAT, host names are self administered etc), this is not low complexity.

Raj has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Raj
2 months ago

Researcher


Hello @maintainer @foosel you can see https://nvd.nist.gov/vuln/detail/CVE-2022-23102 it is similar as this report here they have mention severity as CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 6.1 medium

We have sent a fix follow up to the octoprint team. We will try again in 7 days. 2 months ago
We have sent a second fix follow up to the octoprint team. We will try again in 10 days. 2 months ago
Gina Häußge
a month ago

A fix has been prepared and will be rolled out with 1.8.0, which is planned to be released next week.

We have sent a third and final fix follow up to the octoprint team. This report is now considered stale. a month ago
Raj
a month ago

Researcher


No worries you can take your time @Maintainer

Gina Häußge confirmed that a fix has been merged on 808752 a month ago
Gina Häußge has been awarded the fix bounty
to join this conversation