Open redirect vulnerability via endpoint authorize_and_redirect/?redirect= in posthog/posthog
Reported on
Mar 22nd 2022
Description
Posthog application is vulnerable to open redirect which can be exploited by adding authorize_and_redirect/?redirect=https://evil.com endpoint.
Proof of Concept
1.Open the link https://app.posthog.com/login?next=/authorize_and_redirect/%3Fredirect%3Dhttps%25253A%25252F%25252Fevil.com
2.Login with your account and click on "Authorize None"
3.Now you will see you will get redirected to https://evil.com/
Video PoC
https://drive.google.com/file/d/1NIG6_wM0SAKlKEjOxVuKF2UbI8Xs16s8/view?usp=sharing
Impact
Url Redirection or Unvalidated Open Redirects are usually used with phishing attacks or in malware delivery, it may confuse the end-user on which site they are visiting.
1.Attackers could redirect victims to vulgar sites such as 18+ sites which can degrade the reputation of your site, as the redirection happened from your domain.
2.Attackers could deliver malware or phishing pages in the name of your website & hence cab steal user credentials.
References
Hello @maintainer,
The CVSS score is not low it should be medium you can see all those below reports for open redirect all are given CVSS as 7.1 /6.1 medium:-
https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ https://nvd.nist.gov/vuln/detail/CVE-2021-38123 https://nvd.nist.gov/vuln/detail/CVE-2020-11053 https://nvd.nist.gov/vuln/detail/CVE-2018-1000671 https://nvd.nist.gov/vuln/detail/CVE-2022-0597
@admin Can you please ask @maintainer to allow you to assign a CVE for this report?
@sampritdas8 - please allow the maintainer to make their assessment before requesting a CVE. If they do not believe the report to be valid, we will not assign a CVE in any case.
We have implemented a fix that limits the redirect to the referer. https://github.com/PostHog/posthog/pull/9268
Our reason for assigning this low was that the user specifically had to click that they wanted to be redirected to the evil site with a big warning.
Thanks for the fix @maintainer. Actually, users will think the link evil.com is trusted because it is attached to your domain and they will click on it.
@admin as the maintainer has deployed the fix can you please validate the report and merged the fix as I can see also in the report:- https://huntr.dev/bounties/6961d738-60e4-461a-acd3-e276d422070f/ maintainer is facing problem for validating the report.
@sampritdas8 - please do not spam the @admin tag. Excessive usage will result in the disabling of this action for your account.
Please allow the maintainer to approve and confirm the fix, as they may have their own schedule on making this report public and releasing the fix.
@maintainer - let me know if you are having any issues and I can support you. @sampritdas8 please be patient and wait for the maintainer to respond.
Sorry, @admin for disturbing you, now can you please assign a CVE for this report?
Sure - @maintainer are you happy for us to assign and publish a CVE for this report?
Does publishing a CVE means this will be public? In that case we'd prefer waiting until the next release for this (~ 4 weeks) so self hosted users have a chance to update with a fix.
Yes, when publishing a CVE, the report will be distributed into various intelligence databases including the NVD/MITRE.
In that case we'd like to keep this private until we have a new version available that allows self hosted users to update
Sure 👍 Would you like me to also make the report itself private on our platform, as it is currently public.
@maintainer please update us once the new version has been released
@admin, it can be possible that for now, you assign the CVE once the new version has been released you can make the report public and can update the CVE on NVD/MITRE?
Sure, we can assign the CVE now and wait to publish it once the report is ready to go live.
@maintainer - thoughts?
Admin as the report is Severity: Medium (6.1)
Still, I have not received any bounty why so?
Not sure I understand the question. We don't want to publish anything before the new release.
@maintainer Admin wants to say that he will assign the CVE number to this report and it will get published once the new release will take place.
@sampritdas8 - let's leave this report as it is until we take it live.
With regards to the bounties, we do not reward bounties on Medium severity reports against non-featured repositories.
If you have any more questions, please get in touch via security@huntr.dev or join our Discord.
@maintainer I have retested your application and confirmed that the vulnerability has been fixed and a new release is out now can you give permission to @admin to assign a CVE to this report and to disclose the report?
@admin https://github.com/PostHog/posthog/pull/9268 here you can see the fix has been released on version 1.34.0 so can you assign the CVE and disclose the report?
We will only do this with the go-ahead from the maintainer. Please wait to hear back from them here.
@admin they are not replying can you please ask them? and have confirmed the release fix.
As mentioned above, please wait for the maintainers to respond 👍
@admin we have released, happy to assign a CVE here. Is there anything else required here e.g. how might I provide mitigation steps e.g. upgrade to 1.34.x?
@admin Maintainer has given permission so can you now assign CVE, update it on nvd, and make the report public?
Sure, I will get a CVE assigned and published here.
@Harry, there is nothing else required from your side :) Thanks for the contributions all!
@admin The report is still private can you please make it public?