Cross-site scripting and open redirect vulnerability on Rock RMS Login Page in sparkdevnetwork/rock

Valid

Reported on

May 12th 2022


Description

The Rock RMS login page has a returnUrl parameter that is used to set window.location.href when the user has successfully logged in. An attacker can include a malicious JavaScript payload using a link crafted with the payload in the returnUrl parameter, such as 'javascript:...', that is then executed after the user successfully logs in using the link. In addition, an attacker can redirect the user to any URL that they desire, by setting the returnUrl parameter to a malicious URL.

Proof of Concept

To demonstrate the XSS vulnerability, navigate to this PoC link on the demo login page and login using the demo credentials: https://rock.rocksolidchurchdemo.com/page/3?returnurl=javascript%253Aalert(%27xss%27)

An alert box should be displayed, demonstrating that a malicious JS payload is executed.

To demonstrate the open redirect vulnerability, navigate to this PoC link on the demo login page and login using the demo credentials: https://rock.rocksolidchurchdemo.com/page/3?returnurl=https%253A%252F%252Fgoogle.com

You should be redirected to google.com, rather than the appropriate Rock RMS dashboard page.

Impact

It is possible to force a user to perform actions on their behalf, deface the website, or redirect the user to a malicious website. An attacker can also try to steal the user's credentials by redirecting them to a website that the attacker has hosted, that appears to be the Rock login page, and then capturing their credentials, or the attacker can steal the credentials directly from the legitimate Rock website if the session cookie/token is not appropriately protected.

We are processing your report and will contact the sparkdevnetwork/rock team within 24 hours. a month ago
Jordan Sherman modified the report
a month ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the sparkdevnetwork/rock team and are waiting to hear back a month ago
sparkdevnetwork/rock maintainer has acknowledged this report a month ago
sparkdevnetwork/rock maintainer validated this vulnerability a month ago
Jordan Sherman has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
sparkdevnetwork/rock maintainer confirmed that a fix has been merged on 2d55a2 a month ago
The fix bounty has been dropped
sparkdevnetwork/rock maintainer gave praise a month ago
Thank you. There were two spots that we fixed with two different commits, but the system only let me enter one. The other was [5510037](https://github.com/sparkdevnetwork/rock/commit/55100374b4671dda84f32c0e97e42f7acb30e57e).
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Jordan Sherman
a month ago

Researcher


Thanks @maintainer. Should we assign a CVE to this? @admin

Jamie Slome
a month ago

Admin


Happy to assign a CVE if the maintainer is 👍

to join this conversation