Open Redirect in causefx/organizr

Valid

Reported on

Jun 28th 2021

✍️ Description

The file index.php passes unvalidated data to an HTTP redirect function on line 7. Allowing unvalidated input to control the URL used in a redirect can aid phishing attacks.

The data is sent at header() in index.php at line 7.

🕵️‍♂️ Proof of Concept

The following PHP code instructs the user's browser to open a URL parsed from the $group request parameter when a user clicks the link.

    case 'v1_auth':
        $group = ($_GET['group']) ?? 0; #takes user input
        header('Location: v2/auth?group=' . $group); #redirects user
        exit;

💥 Impact

Attackers can utilize open redirects to trick users into visiting a URL to a trusted site and redirecting them to a malicious site. By encoding the URL, an attacker can make it more difficult for end-users to notice the malicious destination of the redirect, even when it is passed as a URL parameter to the trusted site. Open redirects are often abused as part of phishing scams to harvest sensitive end-user data.

Occurrences

index.php L6-L7

We have contacted a member of the causefx/organizr team and are waiting to hear back 2 years ago

causefx validated this vulnerability 2 years ago

Akshay Jain has been awarded the disclosure bounty

The fix bounty is now up for grabs

causefx marked this as fixed with commit 7ba6fe 2 years ago

causefx has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation