Open Redirect in collectiveaccess/providence

Valid

Reported on

Nov 19th 2021

Description

I find a way to bypass the Open Redirect at the login page with the "redirect" parameter.

Vulnerable parameter

redirect

Payload

https://demo.collectiveaccess.org@google.com

Proof of Concept

Send users the following login link https://demo.collectiveaccess.org/index.php/system/auth/login?redirect=https%3A%2F%2Fdemo.collectiveaccess.org@google.com
After users use their registered account to log in, they will be redirected to google.com

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end-user into believing that a malicious URL they were redirected to is valid. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

We are processing your report and will contact the collectiveaccess/providence team within 24 hours. a year ago

We have contacted a member of the collectiveaccess/providence team and are waiting to hear back a year ago

CollectiveAccess validated this vulnerability a year ago

KhanhCM has been awarded the disclosure bounty

The fix bounty is now up for grabs

CollectiveAccess marked this as fixed with commit 3e429d a year ago

CollectiveAccess has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation