Open Redirect in openwhyd/openwhyd

Valid

Reported on

Dec 5th 2021


Description

This vulnerability was discovered in Here by @mdakh404. However, it is not patched properly and I bypassed with a simple trick.

      r.html = mainTemplate.renderWhydPage(r);
    }
    // call the adequate renderer
-    if (r.redirect) response.redirect(r.redirect);
+    if (r.redirect) response.safeRedirect(r.redirect);
    else if (r.html) response.renderHTML(r.html);
    else response.renderJSON(r);
    // and track visit to that page
// https://github.com/openwhyd/openwhyd/commit/eb7a0e0cc7a6fc13b24490cfc515358489633a01#diff-55cf206bea85b4152b39d303c4ca205c9e5b7ad4e459f31cf897be7551ca45e4

First, I checked how it was patched. When I checked the patch, I could see that when redirecting in consent.js, the redirect() method was replaced with the safeRedirect() method.

   );
 };

+ // TODO: this function is overrided by Express => delete it to prevent ambiguity
 http.ServerResponse.prototype.redirect = function (url) {
   return this.renderHTML(loggingTemplate.htmlRedirect(url));
 };

+ http.ServerResponse.prototype.safeRedirect = function (url) {
+   const fullURL = new URL(url, config.urlPrefix);
+   if (!fullURL.toString().startsWith(config.urlPrefix)) return this.forbidden();
+   this.redirect(url);
+ };
+
 http.ServerResponse.prototype.redirectWithTracking = function (url, title) {
   return this.renderHTML(
     loggingTemplate.renderRedirectPageWithTracking(url, title)
// https://github.com/openwhyd/openwhyd/commit/eb7a0e0cc7a6fc13b24490cfc515358489633a01#diff-852ce8e613d24ce649f8590a2661ba293b6043c9105024a8070f14ce8833a48d

The safeRedirect() method has been added to logging.js. However, Look at the safeRedirect() method, you can see that it is flawed...

+ if (!fullURL.toString().startsWith(config.urlPrefix))

Look at the conditional statement! Parse the value of url using the URL() constructor, and put it as a fullURL variable. After that, Look at the if statement, the default value of fullURL is converted to a string and used and compared with the urlPrefix value. The default value of the URL() modifier is href , not the origin, host, or hostname values.

Look at the picture above. A flaw can be circumvented using a simple trick. Need to use origin, host, hostname to validate the url!

Proof of Concept

1. Open the https://openwhyd.org/consent?redirect=https://openwhyd.org@google.com
2. If you click the button after agreeing to the terms and conditions, you will be redirected to Google.

Impact

Open Redirect can do additional damage by redirecting you to a malicious site.

We are processing your report and will contact the openwhyd team within 24 hours. 2 months ago
Pocas modified their report
2 months ago
We have contacted a member of the openwhyd team and are waiting to hear back 2 months ago
We have sent a follow up to the openwhyd team. We will try again in 7 days. 2 months ago
Adrien Joly validated this vulnerability 2 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly
2 months ago

Maintainer


Good catch, thanks for submitting! I'm working on a fix: https://github.com/openwhyd/openwhyd/pull/498 Feedback is welcome.

Pocas
2 months ago

Researcher


Confirmed patch commit! It's a good patch!

Adrien Joly confirmed that a fix has been merged on 387079 2 months ago
Adrien Joly has been awarded the fix bounty
Adrien Joly
2 months ago

Maintainer


Can you assign a CVE to a researcher?

Jamie Slome
2 months ago

Admin


@adrienjoly - sorted! ♥️