Open Redirect in openwhyd/openwhyd

Valid

Reported on

Aug 26th 2021


✍️ Description

There is an open redirect in the following URL:

https://openwhyd.org/consent?redirect=https://mdakh404.github.io

after the user agrees on the site policy, it will be redirected to my blog ! it's an open redirect.

🕵️‍♂️ Proof of Concept

1- Open the link: https://openwhyd.org/consent?redirect=https://mdakh404.github.io
2- Agree on the conditions
3- click on submit, you will be redirected to (my own blog)[https://mdakh404.github.io].

💥 Impact

Open Redirect is one of the most useful attacks in terms of phishing, users are target of phishing attacks, suck attacks may target the integrity of the user, depending of the user's security awareness, some may download malicious files etc... a lot can be done using open redirect. 📍 Location consent.js#L57-L59 📝 References Portswigger's Open Redirect Article

We have contacted a member of the openwhyd team and are waiting to hear back a year ago
Moad Akhraz modified the report
a year ago
Adrien Joly validated this vulnerability a year ago
Moad Akhraz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adrien Joly
a year ago

Maintainer


Thank you for reporting, Moad! Would you be interested in submitting a patch, through a Pull Request on our GitHub repository?

Moad Akhraz
a year ago

Researcher


Hey Adrien, Thanks for the bounty !

I think that we must redirect the user to the home directory instead of the user-controlled value, so i think that removing params.redirect should be a great fix, what do you think ?

Kind regards, @mdakh404

Moad Akhraz submitted a
a year ago
Moad Akhraz
a year ago

Researcher


the patch has been submitted ! can you please take a view on the patch and see if it's valid and if it's a proper fix for the issue !

Thanks

Adrien Joly
a year ago

Maintainer


Thanks for proposing a patch, Moad! Unfortunately, the consent page can be brought up from any page (e.g. https://github.com/openwhyd/openwhyd/blob/master/app/controllers/userLibrary.js#L72), and redirecting to that page (whatever it is) after consenting is important to provide a good user experience. In order to maintain the user experience, I guess that we could force openwhyd's domain (i.e. config.urlPrefix) by reconstructing a URL and injecting the expected path into it.

Moad Akhraz
a year ago

Researcher


Hey,

That's a great idea ! the important thing is keeping the redirection point far away from untrusted values !

Best regards !

Adrien Joly
a year ago

Maintainer


Fix is in progress: https://github.com/openwhyd/openwhyd/pull/496

Adrien Joly
a year ago

Maintainer


Fix is done and running in production. Thank you for your help, Moad!

Adrien Joly confirmed that a fix has been merged on eb7a0e a year ago
Adrien Joly has been awarded the fix bounty
to join this conversation