Open Redirect on login in go-gitea/gitea

Valid

Reported on

Mar 23rd 2022


Description

Although https://github.com/go-gitea/gitea/pull/9678 protects against most open redirects there is an unfortunate flaw in its logic due to browser behaviour when presented with Locations that have backslashes in them

Proof of Concept

https://try.gitea.io/user/login?redirect_to=/\/\/\/\/\/\/\/\/\/\/\/\/\/\thedailywtf.com 

Following a succesful login using this url, a redirect will be sent back to the browser with the Location header equal to: /\/\/\/\/\/\/\/\/\/\/\/\/\/\thedailywtf.com. This will be interpreted by the browser as a redirect to //thedailywtf.com.

Impact

This vulnerability constitutes an open redirect:

  • Users may be redirected to an untrusted page that contains malware which may then compromise the user's machine. This will expose the user to extensive risk and the user's interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.
  • Users may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user's credentials and then use these credentials to access the legitimate web site.

Mitigation

This vulnerability will be mitigated with:

https://github.com/go-gitea/gitea/pull/19175

We are processing your report and will contact the go-gitea/gitea team within 24 hours. a year ago
Aย go-gitea/giteaย maintainer has acknowledged this report a year ago
zeripath submitted a
a year ago
Jamie Slome
a year ago

Admin


@zeripath - I can see that you are trying to validate this report. We do currently have protections in place to prevent maintainers from validating their own reports but recognise that this is a feature that maintainers do want.

Would you like me to go ahead and approve this report and confirm the fix?

Jamie Slome
a year ago

Admin


I've also created this public feature request to keep track of the progress of this.

zeripath
a year ago

Maintainer


The PR hasn't been merged yet - so I guess once it's merged it should be considered fixed.

Jamie Slome
a year ago

Admin


Sure ๐Ÿ‘ Would you like me to approve the report in the meantime? This will not make the report public. The report goes public only once the fix is confirmed.

zeripath
a year ago

Maintainer


yes please approve.

Jamie Slome validated this vulnerability a year ago
zeripath has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome
a year ago

Admin


Sorted ๐Ÿ‘ Once you are ready with the fix, let me know, and I will confirm this too.

zeripath
a year ago

Maintainer


fix is in https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48 on release/v1.16

zeripath
a year ago

Maintainer


@admin the fix for this has been released as part of 1.16.5

Jamie Slome marked this as fixed in 1.16.5 with commit e3d8e9 a year ago
zeripath has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
a year ago

Admin


Sorted! ๐Ÿ‘

to join this conversation