Multiple Open redirect in sissbruecker/linkding

Valid

Reported on

Mar 19th 2022


Description

There exist multiple open redirect in the get parameter return_url . I found it in bookmarks/<int:bookmark_id>/edit , bookmarks/<int:bookmark_id>/remove, bookmarks/<int:bookmark_id>/archive, bookmarks/<int:bookmark_id>/unarchive, bookmarks/bulkedit

Proof of Concept

1. Login in the demo instance https://demo.linkding.link/
2. Go to https://demo.linkding.link/bookmarks/3/remove?return_url=https://google.com
3. You will be redirected to google.com

Impact

Open Redirect

We are processing your report and will contact the sissbruecker/linkding team within 24 hours. 2 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
sissbruecker/linkding maintainer has acknowledged this report 2 months ago
Sascha
2 months ago

Maintainer


Thanks for reporting this @noobexploiterhuntrdev. Given the self-hosting scenario I don't this this is super critical, but can be fixed all the same.

Thinking about possible solutions here, how about checking that the redirect URL starts with a slash (/), and if not then redirect to a default route?

noobexploiterhuntrdev
2 months ago

Researcher


Hi. Yeah, that looks like a good fix.

We have contacted a member of the sissbruecker/linkding team and are waiting to hear back 2 months ago
Sascha Ißbrücker validated this vulnerability 2 months ago
noobexploiterhuntrdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sascha Ißbrücker confirmed that a fix has been merged on edb712 2 months ago
The fix bounty has been dropped
bookmarks.py#L153 has been validated
bookmarks.py#L162 has been validated
to join this conversation