Open Redirect on "returnUrl=" parameter in btcpayserver/btcpayserver

Valid

Reported on

Jan 30th 2023

Description

Hello Team while testing the "returnUrl=" parameter on login page it was not vulnerable, but I found another way to get Open Redirect with that parameter

Proof of Concept

Here is the Video POC of this vulnerability
https://drive.google.com/file/d/1UNnRv-E0bwcWWSFSOSDLoTGEdkH4cIKd/view?usp=sharing

Step to Reproduce:

Login your account on https://mainnet.demo.btcpayserver.org/login
Click the link below

https://mainnet.demo.btcpayserver.org/recovery-seed-backup?cryptoCode=BTC&mnemonic=above&passphrase=&isStored=false&requireConfirm=true&returnUrl=//evil.com

Check the "I have written down my recovery phrase and stored it in a secure location"
Then click Done
You will be redirected to evil.com

Impact

An open redirect vulnerability exists in the affected products. An attacker could trick a validly authenticated user on the device into clicking a malicious link on the device, resulting in phishing attacks.

We are processing your report and will contact the btcpayserver team within 24 hours. 2 months ago

We have contacted a member of the btcpayserver team and are waiting to hear back 2 months ago

Nicolas Dorier

commented 2 months ago

Maintainer

https://github.com/btcpayserver/btcpayserver/pull/4575

A btcpayserver/btcpayserver maintainer has acknowledged this report 2 months ago

Nicolas Dorier gave praise 2 months ago

Thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Nicolas Dorier validated this vulnerability 2 months ago

Jefferson Gonzales has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nicolas Dorier marked this as fixed in 1.7.6 with commit c2cfa1 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Nicolas Dorier published this vulnerability 2 months ago

Nicolas Dorier

commented 2 months ago

Maintainer

https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.6

Nicolas Dorier gave praise 2 months ago

Thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation

We are processing your report and will contact the btcpayserver team within 24 hours. 2 months ago

We have contacted a member of the btcpayserver team and are waiting to hear back 2 months ago

Nicolas Dorier

commented 2 months ago

Maintainer

https://github.com/btcpayserver/btcpayserver/pull/4575

A btcpayserver/btcpayserver maintainer has acknowledged this report 2 months ago

Nicolas Dorier gave praise 2 months ago

Thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Nicolas Dorier validated this vulnerability 2 months ago

Jefferson Gonzales has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nicolas Dorier marked this as fixed in 1.7.6 with commit c2cfa1 2 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Nicolas Dorier published this vulnerability 2 months ago

Nicolas Dorier

commented 2 months ago

Maintainer

https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.6

Nicolas Dorier gave praise 2 months ago

Thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation