Open Redirect in openwhyd/openwhyd

Valid

Reported on

Dec 5th 2021


Description

This vulnerability was discovered in Here by @mdakh404. However, it is not patched properly and I bypassed with a simple trick.

      r.html = mainTemplate.renderWhydPage(r);
    }
    // call the adequate renderer
-    if (r.redirect) response.redirect(r.redirect);
+    if (r.redirect) response.safeRedirect(r.redirect);
    else if (r.html) response.renderHTML(r.html);
    else response.renderJSON(r);
    // and track visit to that page
// https://github.com/openwhyd/openwhyd/commit/eb7a0e0cc7a6fc13b24490cfc515358489633a01#diff-55cf206bea85b4152b39d303c4ca205c9e5b7ad4e459f31cf897be7551ca45e4

First, I checked how it was patched. When I checked the patch, I could see that when redirecting in consent.js, the redirect() method was replaced with the safeRedirect() method.

   );
 };

+ // TODO: this function is overrided by Express => delete it to prevent ambiguity
 http.ServerResponse.prototype.redirect = function (url) {
   return this.renderHTML(loggingTemplate.htmlRedirect(url));
 };

+ http.ServerResponse.prototype.safeRedirect = function (url) {
+   const fullURL = new URL(url, config.urlPrefix);
+   if (!fullURL.toString().startsWith(config.urlPrefix)) return this.forbidden();
+   this.redirect(url);
+ };
+
 http.ServerResponse.prototype.redirectWithTracking = function (url, title) {
   return this.renderHTML(
     loggingTemplate.renderRedirectPageWithTracking(url, title)
// https://github.com/openwhyd/openwhyd/commit/eb7a0e0cc7a6fc13b24490cfc515358489633a01#diff-852ce8e613d24ce649f8590a2661ba293b6043c9105024a8070f14ce8833a48d

The safeRedirect() method has been added to logging.js. However, Look at the safeRedirect() method, you can see that it is flawed...

+ if (!fullURL.toString().startsWith(config.urlPrefix))

Look at the conditional statement! Parse the value of url using the URL() constructor, and put it as a fullURL variable. After that, Look at the if statement, the default value of fullURL is converted to a string and used and compared with the urlPrefix value. The default value of the URL() modifier is href , not the origin, host, or hostname values.

Look at the picture above. A flaw can be circumvented using a simple trick. Need to use origin, host, hostname to validate the url!

Proof of Concept

1. Open the https://openwhyd.org/consent?redirect=https://openwhyd.org@google.com
2. If you click the button after agreeing to the terms and conditions, you will be redirected to Google.

Impact

Open Redirect can do additional damage by redirecting you to a malicious site.

We are processing your report and will contact the openwhyd team within 24 hours. a year ago
Pocas modified the report
a year ago
We have contacted a member of the openwhyd team and are waiting to hear back a year ago
We have sent a follow up to the openwhyd team. We will try again in 7 days. a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
Adrien Joly validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly
a year ago

Good catch, thanks for submitting! I'm working on a fix: https://github.com/openwhyd/openwhyd/pull/498 Feedback is welcome.

Pocas
a year ago

Researcher


Confirmed patch commit! It's a good patch!

Adrien Joly marked this as fixed in 1.45.3 with commit 387079 a year ago
Adrien Joly has been awarded the fix bounty
This vulnerability will not receive a CVE
Adrien Joly
a year ago

Can you assign a CVE to a researcher?

Jamie Slome
a year ago

Admin


@adrienjoly - sorted! ♥️

to join this conversation