Open Redirect in causefx/organizr

Valid

Reported on

Jun 28th 2021


✍️ Description

The file index.php passes unvalidated data to an HTTP redirect function on line 7. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.

The data is sent at header() in index.php at line 7.

🕵️‍♂️ Proof of Concept

The following PHP code instructs the user's browser to open a URL parsed from the $group request parameter when a user clicks the link.

    case 'v1_auth':
        $group = ($_GET['group']) ?? 0; #takes user input
        header('Location: v2/auth?group=' . $group); #redirects user
        exit;

💥 Impact

Attackers can utilize open redirects to trick users into visiting a URL to a trusted site and redirecting them to a malicious site. By encoding the URL, an attacker can make it more difficult for end-users to notice the malicious destination of the redirect, even when it is passed as a URL parameter to the trusted site. Open redirects are often abused as part of phishing scams to harvest sensitive end-user data.

We have contacted a member of the causefx/organizr team and are waiting to hear back a year ago
causefx validated this vulnerability a year ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
causefx confirmed that a fix has been merged on 7ba6fe a year ago
causefx has been awarded the fix bounty
to join this conversation