Open Redirect in octoprint/octoprint

Valid

Reported on

Jun 30th 2022


📝 Description

The redirect get variable in login page isn't properly checked. Currently, it check if url.scheme and url.netloc are empty using urllib.

parsed = urlparse(redirect_url)  # check if redirect url is valid
if parsed.scheme != "" or parsed.netloc != "":
    _logger.warning(
        f"Got an invalid redirect URL with the login attempt, misconfiguration or attack attempt: {redirect_url}"
    )
    redirect_url = default_redirect_url

The problem here, is that urllib does not handle all url currently. For example:

>>> urlparse("\/mizu.re/")
ParseResult(scheme='', netloc='', path='\\/mizu.re/', params='', query='', fragment='')

As you can see, here url.scheme and url.netloc are empty and path is a valid URL. Knowing that, we can easly bypass the restriction.

🕵️‍♂️ Proof of Concept

  • Step 1: start octoprint and go to http://localhost:5000/login?redirect=\/\/mizu.re/.

login.png

  • Step 2: login.

mizu.png

Impact

An attacker could redirect a user to malicious domain, for example, it could be useful for phishing.

Occurrences

Make sure that the url does not start by spaces followed by // or \\.

We are processing your report and will contact the octoprint team within 24 hours. 3 months ago
We have contacted a member of the octoprint team and are waiting to hear back 3 months ago
Shawn Bruce modified the Severity from High to Low 3 months ago
Shawn Bruce
3 months ago

Maintainer


Adjusting to low as this is very similar to: https://huntr.dev/bounties/073464fc-3f5c-45c2-ae90-6e423e1fd35a/

Mizu
3 months ago

Researcher


Yes, it is a bypass of the security that have been made in place to avoid https://huntr.dev/bounties/073464fc-3f5c-45c2-ae90-6e423e1fd35a/ vulnerability

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Shawn Bruce validated this vulnerability 3 months ago

@admin this vuln is valid by our definition but huntr.dev requires that "You're confirming that this is the first time you've heard of this vulnerability. ". This is not the first time we've seen it as it was previously reported via https://huntr.dev/bounties/073464fc-3f5c-45c2-ae90-6e423e1fd35a/ and was thought to have been patched. @Mizu brought light onto another way around it. How should this be marked?

Mizu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jamie Slome
3 months ago

Admin


@Shawn - that is a fairly unique one. Seeing as there has been a bypass identified for the initial vulnerability, it is correct to mark this report as valid.

It is okay if you have heard of this vulnerability in a similar way before, it just needs to be unique in some way, i.e. as you mention, it was thought to have been patched, but a new method has been identified to exploit.

Do you expect a fix for this report?

We have sent a fix follow up to the octoprint team. We will try again in 7 days. 3 months ago
Charlie Powell
3 months ago

Maintainer


Do you expect a fix for this report?

Yes, we will fix it - Gina is currently on a vacation for a few weeks, after that there will be a release with the issue fixed.

Jamie Slome
3 months ago

Admin


Great 👍

We have sent a second fix follow up to the octoprint team. We will try again in 10 days. 2 months ago
We have sent a third and final fix follow up to the octoprint team. This report is now considered stale. 2 months ago
Gina Häußge confirmed that a fix has been merged on dabdd4 a month ago
Gina Häußge has been awarded the fix bounty
views.py#L178 has been validated
to join this conversation