Open Redirect in fisharebest/webtrees

Valid

Reported on

Sep 29th 2021


Description

I saw this report :

https://huntr.dev/bounties/ad4278af-52b7-4c34-8d43-9b829105d499/

and Also your fix commit

https://www.github.com/fisharebest/webtrees/commit/551ad4afbcef2a72a6cf6461f1747762180b12c5

then I should say that the fix can be bypassed with such payloads :

If the base_url be test.com then we can bypass it with these payloads :

test.com:test@mysite.com == >mysite.com

test.com.mysite.com == >mysite.com

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 months ago
Greg Roach validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach confirmed that a fix has been merged on 8d9c2b 2 months ago
Greg Roach has been awarded the fix bounty
ContactAction.php#L1-L164 has been validated
EmptyClipboard.php#L1-L69 has been validated
EditFactAction.php#L1-L122 has been validated
LoginAction.php#L1-L147 has been validated
MessageAction.php#L1-L114 has been validated