Open Redirect in bigbluebutton/greenlight


Reported on

Jun 22nd 2022


The Greenlight end-user interface is vulnerable to Open Redirect vulnerability in Login page due to unchecked the value of return_to cookie.

Proof of Concept

Original request example

POST /gl/u/login HTTP/1.1
Cookie: return_to=; _ga=GA1.2.75174201.1655862571; _gid=GA1.2.1247108436.1655862571; _gat_gtag_UA_33131630_1=1; _greenlight-2_3_session=FLsZsD9232zlyzG5gVpasMmXpeQ9bi3ofhipRGi%2BaHwAQCmSenHDKMO9DRziK2dFlplKT56UZjt%2FnCQqrrDMnAk3Y77rXNUfQjMCOV3Zedc1SMic7yuqck%2FRj7u1nkVV4xusXpjBF7LtoBAVkPQ%3D--3sRNMFDT40mbgT5E--wxoTOWme4WbMq4xhoEdKzw%3D%3D
Content-Length: 214
Cache-Control: max-age=0
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close


As you can see, there is a return_to cookie in the request that will redirect user to a site in that value after user log in. If I change that cookie to another value, for example:


Now, forward the edited request and you will be redirected to


If you have an open redirection vulnerability, it makes many other attacks possible:
-Phishing: The most obvious way to use an open redirect is to steer the victim away from the original site to a site that looks the same, steal user credentials, and then return to the vulnerable website as if nothing happened.
-Cross-site Scripting (XSS): If the redirect allows the use of data: or javascript: protocols and the client supports such protocols in redirects, it makes it possible for the attacker to perform an XSS attack.
-Server-Side Request Forgery (SSRF): Open redirects may be used to evade SSRF filters.
-Content-Security-Policy bypassing: If you use CSP to protect against XSS and one of the whitelisted domains has an open redirect, this vulnerability may be used to bypass CSP.
-CRLF Injection: If the redirection parameter allows line breaks, the attacker may try to perform response header splitting.

We are processing your report and will contact the bigbluebutton/greenlight team within 24 hours. 5 months ago
We have contacted a member of the bigbluebutton/greenlight team and are waiting to hear back 5 months ago
Ahmad Farhat
5 months ago


Thanks @khanhchauminh for the report!

We confirm this is a an issue with GreenLight <=2.12.6 and we're looking into patching it.

We have created a GitHub Security Advisory (private for the moment, will be published after the patch has been released, and after some time was provided for administrators to upgrade.) That advisory will have a CVE associated with.

We have sent a follow up to the bigbluebutton/greenlight team. We will try again in 7 days. 5 months ago
Ahmad Farhat validated this vulnerability 5 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the bigbluebutton/greenlight team. We will try again in 7 days. 5 months ago
We have sent a second fix follow up to the bigbluebutton/greenlight team. We will try again in 10 days. 5 months ago
We have sent a third and final fix follow up to the bigbluebutton/greenlight team. This report is now considered stale. 4 months ago
Ahmad Farhat marked this as fixed in 2.13.0 with commit 20fe1e 3 months ago
Ahmad Farhat has been awarded the fix bounty
This vulnerability will not receive a CVE
authenticator.rb#L53-L62 has been validated
3 months ago


Hi @admin, can you add the CVE for this report as mentioned in this release change:

CVE-2022-36028 - Severity: Moderate Value of return_to cookie is now checked to ensure it is a Greenlight url
Jamie Slome
3 months ago


Sorted 👍

to join this conversation