Open Redirect in blogifierdotnet/blogifier

Valid

Reported on

Sep 28th 2021


Description

Open redirect at login page due to unchecked "returnUrl" param

Proof of Concept

  1. Go to demo page link http://demo.blogifier.net/admin/login/?returnUrl=https://google.com
  2. Login using demo account and see that you are redirected to google.com

Impact

This vulnerability is capable of open redirect

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
We have contacted a member of the blogifierdotnet/blogifier team and are waiting to hear back a year ago
blogifierdotnet/blogifier maintainer
a year ago

Maintainer


How is this vulnerability if you have to first sign in as a site admin??

M0rphling
a year ago

Researcher


Hi, the vulnerability is of type Open Redirect, that means the user is redirected from blogifier to another malicious page. In the real attack scenario, the attacker will send this url to user:
http://demo.blogifier.net/admin/login/?returnUrl={attacker_malicious_link} If the user logs in, he/she then redirected to malicious site. Reference : https://portswigger.net/kb/issues/00500100_open-redirection-reflected

We have sent a third and final follow up to the blogifierdotnet/blogifier team. This report is now considered stale. a year ago
blogifierdotnet/blogifier maintainer validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
blogifierdotnet/blogifier maintainer confirmed that a fix has been merged on e0301d a year ago
The fix bounty has been dropped
to join this conversation