We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Multiple Open redirect in sissbruecker/linkding

Valid

Reported on

Mar 19th 2022

Description

There exist multiple open redirect in the get parameter return_url . I found it in bookmarks/<int:bookmark_id>/edit , bookmarks/<int:bookmark_id>/remove, bookmarks/<int:bookmark_id>/archive, bookmarks/<int:bookmark_id>/unarchive, bookmarks/bulkedit

Proof of Concept

1. Login in the demo instance https://demo.linkding.link/
2. Go to https://demo.linkding.link/bookmarks/3/remove?return_url=https://google.com
3. You will be redirected to google.com

Impact

Open Redirect

We are processing your report and will contact the sissbruecker/linkding team within 24 hours. 2 years ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 years ago
sissbruecker/linkding maintainer has acknowledged this report 2 years ago
Sascha
2 years ago

Maintainer

Thanks for reporting this @noobexploiterhuntrdev. Given the self-hosting scenario I don't this this is super critical, but can be fixed all the same.

Thinking about possible solutions here, how about checking that the redirect URL starts with a slash (/), and if not then redirect to a default route?

noobexploiterhuntrdev
2 years ago

Researcher

Hi. Yeah, that looks like a good fix.

We have contacted a member of the sissbruecker/linkding team and are waiting to hear back 2 years ago
Sascha Ißbrücker validated this vulnerability a year ago
noobexploiterhuntrdev has been awarded the disclosure bounty
The fix bounty is now up for grabs
Sascha Ißbrücker marked this as fixed in 1.8.6 with commit edb712 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
bookmarks.py#L153 has been validated
bookmarks.py#L162 has been validated
to join this conversation