Bypass previous fix in sissbruecker/linkding
Reported on
Mar 26th 2022
Description
Bypass previous report fix
Proof of Concept
it checks if return_url starts with / . So, it can be bypasssed using //google.com .
1. Login in the demo instance https://demo.linkding.link/
2. Go to https://demo.linkding.link/bookmarks/3/remove?return_url=//google.com
3. You will be redirected to google.com
Impact
open redirect check bypass
@admin This seems to be a duplicate of https://huntr.dev/bounties/a5efbedb-fc31-4386-b894-439bfd9ec62c/
@maintainer No, his report will be duplicate of mine . You should validate my report first because my report submitted 26th march and his report at 27th march
just check the report time . His report submitted 1 day after me . So, my report will be original and https://huntr.dev/bounties/a5efbedb-fc31-4386-b894-439bfd9ec62c/ will be duplicate
Sorry, I saw the other one first, and the issue has been fixed. For now I'll leave the status as is, feel free to take it up with whomever can make the decision with what's a duplicate or not.
yes. @admin can you plz check this report time . My report should be original report here
Hello @ranjit-git - would you be happy to split the bounties 50/50 between this report and the other, and we can mark both reports as valid? Seeing as yours was first, but the other one was validated first, we think this is the fairest way forward here.
Let me know your thoughts.
@maintainer - feel free to move forward with this report - marking it as valid, confirming the severity of the report and confirming the patch.
We will treat this as the first instance of the vulnerability report, and the other report as a duplicate.
The other researcher has said that they are happy to forgo the bounty, as well.
If we don't hear back from the maintainer post the final follow-up, I will go ahead 👍
@admin https://github.com/sissbruecker/linkding/commit/3906d9e5b86c56e26e9b4cc0f1e4f2e8fcc44744