Open Redirect in blogifierdotnet/blogifier

Valid

Reported on

Sep 28th 2021


Description

Open redirect at login page due to unchecked "returnUrl" param

Proof of Concept

  1. Go to demo page link http://demo.blogifier.net/admin/login/?returnUrl=https://google.com
  2. Login using demo account and see that you are redirected to google.com

Impact

This vulnerability is capable of open redirect

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the blogifierdotnet/blogifier team and are waiting to hear back 2 months ago
blogifierdotnet/blogifier maintainer
2 months ago

Maintainer


How is this vulnerability if you have to first sign in as a site admin??

M0rphling
2 months ago

Researcher


Hi, the vulnerability is of type Open Redirect, that means the user is redirected from blogifier to another malicious page. In the real attack scenario, the attacker will send this url to user:
http://demo.blogifier.net/admin/login/?returnUrl={attacker_malicious_link} If the user logs in, he/she then redirected to malicious site. Reference : https://portswigger.net/kb/issues/00500100_open-redirection-reflected

We have sent a third and final follow up to the blogifierdotnet/blogifier team. This report is stale. a month ago
blogifierdotnet/blogifier maintainer validated this vulnerability a month ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
blogifierdotnet/blogifier maintainer confirmed that a fix has been merged on e0301d a month ago
The fix bounty has been dropped