We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Open Redirect in sbrl/pepperminty-wiki

Valid

Reported on

Sep 14th 2021

Description

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.

https://github.com/sbrl/Pepperminty-Wiki/ is vulnerable to open redirects as shown below:

Proof of Concept

Vulnerable line: release index.php:12188
Snippet:

if(isset($_GET["returnto"]))
                $login_form_action_url .= "&returnto=" . rawurlencode($_GET["returnto"]);

Proof of concept:
Login to peppermint
Visit in a browser:

http://localhost/Pepperminty-Wiki/index.php?action=login&returnto=http://example.com

Observe the open redirection

Impact

This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Z-Old
2 years ago

Admin

Hey hitisec, I've emailed the maintainers for you.

We have contacted a member of the sbrl/pepperminty-wiki team and are waiting to hear back 2 years ago
Starbeamrainbowlabs marked this as fixed with commit f59e68 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Starbeamrainbowlabs
2 years ago

Maintainer

Thanks for this - I've ensured that Pepperminty Wiki only allows redirects using the query string - which ensures that redirects do not leave the current Pepperminty Wiki instance.

to join this conversation