We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Open Redirect in octoprint/octoprint

Valid

Reported on

Jun 30th 2022

📝 Description

The redirect get variable in login page isn't properly checked. Currently, it check if url.scheme and url.netloc are empty using urllib.

parsed = urlparse(redirect_url)  # check if redirect url is valid
if parsed.scheme != "" or parsed.netloc != "":
    _logger.warning(
        f"Got an invalid redirect URL with the login attempt, misconfiguration or attack attempt: {redirect_url}"
    )
    redirect_url = default_redirect_url

The problem here, is that urllib does not handle all url currently. For example:

>>> urlparse("\/mizu.re/")
ParseResult(scheme='', netloc='', path='\\/mizu.re/', params='', query='', fragment='')

As you can see, here url.scheme and url.netloc are empty and path is a valid URL. Knowing that, we can easly bypass the restriction.

🕵️‍♂️ Proof of Concept

  • Step 1: start octoprint and go to http://localhost:5000/login?redirect=\/\/mizu.re/.

login.png

  • Step 2: login.

mizu.png

Impact

An attacker could redirect a user to malicious domain, for example, it could be useful for phishing.

Occurrences

Make sure that the url does not start by spaces followed by // or \\.

We are processing your report and will contact the octoprint team within 24 hours. a year ago
We have contacted a member of the octoprint team and are waiting to hear back a year ago
Shawn Bruce modified the Severity from High to Low a year ago
Shawn Bruce
a year ago

Maintainer

Adjusting to low as this is very similar to: https://huntr.dev/bounties/073464fc-3f5c-45c2-ae90-6e423e1fd35a/

Mizu
a year ago

Researcher

Yes, it is a bypass of the security that have been made in place to avoid https://huntr.dev/bounties/073464fc-3f5c-45c2-ae90-6e423e1fd35a/ vulnerability

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Shawn Bruce validated this vulnerability a year ago

@admin this vuln is valid by our definition but huntr.dev requires that "You're confirming that this is the first time you've heard of this vulnerability. ". This is not the first time we've seen it as it was previously reported via https://huntr.dev/bounties/073464fc-3f5c-45c2-ae90-6e423e1fd35a/ and was thought to have been patched. @Mizu brought light onto another way around it. How should this be marked?

Mizu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jamie Slome
a year ago

Admin

@Shawn - that is a fairly unique one. Seeing as there has been a bypass identified for the initial vulnerability, it is correct to mark this report as valid.

It is okay if you have heard of this vulnerability in a similar way before, it just needs to be unique in some way, i.e. as you mention, it was thought to have been patched, but a new method has been identified to exploit.

Do you expect a fix for this report?

We have sent a fix follow up to the octoprint team. We will try again in 7 days. a year ago
Charlie Powell
a year ago

Maintainer

Do you expect a fix for this report?

Yes, we will fix it - Gina is currently on a vacation for a few weeks, after that there will be a release with the issue fixed.

Jamie Slome
a year ago

Admin

Great 👍

We have sent a second fix follow up to the octoprint team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the octoprint team. This report is now considered stale. a year ago
Gina Häußge marked this as fixed in 1.8.2 with commit dabdd4 a year ago
Gina Häußge has been awarded the fix bounty
This vulnerability will not receive a CVE
views.py#L178 has been validated
to join this conversation