Open Redirect in alanaktion/phproject

Valid

Reported on

Jan 28th 2022

Description

Bypass open redirect protection

Proof of Concept

patch for this report https://huntr.dev/bounties/1183df1a-5243-42f9-a263-267b92444b03/ easily can be bypassed

Bypass url https://demo.phproject.org/login?to=//example.com

We are processing your report and will contact the alanaktion/phproject team within 24 hours. a year ago
We have contacted a member of the alanaktion/phproject team and are waiting to hear back a year ago
We have sent a follow up to the alanaktion/phproject team. We will try again in 7 days. a year ago
We have sent a second follow up to the alanaktion/phproject team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the alanaktion/phproject team. This report is now considered stale. a year ago
Alan Hardman validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman marked this as fixed in 1.7.13 with commit c9c95f a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
index.php#L47-L62 has been validated
index.php#L78-L113 has been validated
to join this conversation