Open Redirect in causefx/organizr

Valid
Reported on Jun 28th 2021

✍️ Description

The file index.php passes unvalidated data to an HTTP redirect function on line 7. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.

The data is sent at header() in index.php at line 7.

🕵️‍♂️ Proof of Concept

The following PHP code instructs the user's browser to open a URL parsed from the $group request parameter when a user clicks the link.

    case 'v1_auth':
        $group = ($_GET['group']) ?? 0; #takes user input
        header('Location: v2/auth?group=' . $group); #redirects user
        exit;

💥 Impact

Attackers can utilize open redirects to trick users into visiting a URL to a trusted site and redirecting them to a malicious site. By encoding the URL, an attacker can make it more difficult for end-users to notice the malicious destination of the redirect, even when it is passed as a URL parameter to the trusted site. Open redirects are often abused as part of phishing scams to harvest sensitive end-user data.

We have contacted a member of the causefx/organizr team and are waiting to hear back a month ago
causefx validated this vulnerability a month ago
Akshay Jain has been awarded the disclosure bounty
$40
The fix bounty is now up for grabs
$10
causefx confirmed that a fix has been merged on 7ba6fe a month ago
causefx has been awarded the fix bounty
$10