Open Redirect in openwhyd/openwhyd

Valid

Reported on

Aug 26th 2021


✍️ Description

There is an open redirect in the following URL:

https://openwhyd.org/consent?redirect=https://mdakh404.github.io

after the user agrees on the site policy, it will be redirected to my blog ! it's an open redirect.

🕵️‍♂️ Proof of Concept

1- Open the link: https://openwhyd.org/consent?redirect=https://mdakh404.github.io
2- Agree on the conditions
3- click on submit, you will be redirected to (my own blog)[https://mdakh404.github.io].

💥 Impact

Open Redirect is one of the most useful attacks in terms of phishing, users are target of phishing attacks, suck attacks may target the integrity of the user, depending of the user's security awareness, some may download malicious files etc... a lot can be done using open redirect. 📍 Location consent.js#L57-L59 📝 References Portswigger's Open Redirect Article

We have contacted a member of the openwhyd team and are waiting to hear back 3 months ago
Moad Akhraz modified their report
3 months ago
Adrien Joly validated this vulnerability a month ago
Moad Akhraz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly
a month ago

Maintainer


Thank you for reporting, Moad! Would you be interested in submitting a patch, through a Pull Request on our GitHub repository?

Moad Akhraz
a month ago

Researcher


Hey Adrien, Thanks for the bounty !

I think that we must redirect the user to the home directory instead of the user-controlled value, so i think that removing params.redirect should be a great fix, what do you think ?

Kind regards, @mdakh404

Moad Akhraz submitted a
a month ago
Moad Akhraz
a month ago

Researcher


the patch has been submitted ! can you please take a view on the patch and see if it's valid and if it's a proper fix for the issue !

Thanks

Adrien Joly
a month ago

Maintainer


Thanks for proposing a patch, Moad! Unfortunately, the consent page can be brought up from any page (e.g. https://github.com/openwhyd/openwhyd/blob/master/app/controllers/userLibrary.js#L72), and redirecting to that page (whatever it is) after consenting is important to provide a good user experience. In order to maintain the user experience, I guess that we could force openwhyd's domain (i.e. config.urlPrefix) by reconstructing a URL and injecting the expected path into it.

Moad Akhraz
a month ago

Researcher


Hey,

That's a great idea ! the important thing is keeping the redirection point far away from untrusted values !

Best regards !

Adrien Joly
a month ago

Maintainer


Fix is in progress: https://github.com/openwhyd/openwhyd/pull/496

Adrien Joly
a month ago

Maintainer


Fix is done and running in production. Thank you for your help, Moad!

Adrien Joly confirmed that a fix has been merged on eb7a0e a month ago
Adrien Joly has been awarded the fix bounty