Bypass previous fix in sissbruecker/linkding

Valid

Reported on

Mar 26th 2022


Description

Bypass previous report fix

Proof of Concept

it checks if return_url starts with / . So, it can be bypasssed using //google.com .

1. Login in the demo instance https://demo.linkding.link/
2. Go to https://demo.linkding.link/bookmarks/3/remove?return_url=//google.com
3. You will be redirected to google.com

Impact

open redirect check bypass

We are processing your report and will contact the sissbruecker/linkding team within 24 hours. 2 months ago
We have contacted a member of the sissbruecker/linkding team and are waiting to hear back 2 months ago
Sascha
2 months ago

Maintainer


@admin This seems to be a duplicate of https://huntr.dev/bounties/a5efbedb-fc31-4386-b894-439bfd9ec62c/

ranjit-git
2 months ago

Researcher


@maintainer No, his report will be duplicate of mine . You should validate my report first because my report submitted 26th march and his report at 27th march

ranjit-git
2 months ago

Researcher


just check the report time . His report submitted 1 day after me . So, my report will be original and https://huntr.dev/bounties/a5efbedb-fc31-4386-b894-439bfd9ec62c/ will be duplicate

ranjit-git modified the report
2 months ago
Sascha
2 months ago

Maintainer


Sorry, I saw the other one first, and the issue has been fixed. For now I'll leave the status as is, feel free to take it up with whomever can make the decision with what's a duplicate or not.

ranjit-git
2 months ago

Researcher


yes. @admin can you plz check this report time . My report should be original report here

Jamie Slome
2 months ago

Admin


Hello @ranjit-git - would you be happy to split the bounties 50/50 between this report and the other, and we can mark both reports as valid? Seeing as yours was first, but the other one was validated first, we think this is the fairest way forward here.

Let me know your thoughts.

ranjit-git
2 months ago

Researcher


Ok @admin

We have sent a follow up to the sissbruecker/linkding team. We will try again in 7 days. 2 months ago
Jamie Slome
2 months ago

Admin


@maintainer - feel free to move forward with this report - marking it as valid, confirming the severity of the report and confirming the patch.

We will treat this as the first instance of the vulnerability report, and the other report as a duplicate.

The other researcher has said that they are happy to forgo the bounty, as well.

We have sent a second follow up to the sissbruecker/linkding team. We will try again in 10 days. 2 months ago
ranjit-git
a month ago

Researcher


@admin @maintainer can you plz validate this report ?

Jamie Slome
a month ago

Admin


If we don't hear back from the maintainer post the final follow-up, I will go ahead 👍

We have sent a third and final follow up to the sissbruecker/linkding team. This report is now considered stale. a month ago
ranjit-git
a month ago

Researcher


@admin can you plz validate this report

Jamie Slome
a month ago

Admin


Sure, do we have the commit SHA that addressed this issue?

ranjit-git
a month ago

Researcher


@admin https://github.com/sissbruecker/linkding/commit/3906d9e5b86c56e26e9b4cc0f1e4f2e8fcc44744

Jamie Slome validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jamie Slome confirmed that a fix has been merged on 3906d9 a month ago
The fix bounty has been dropped
models.py#L82-L115 has been validated
bookmarks.py#L2-L198 has been validated
utils.py#L90-L104 has been validated
to join this conversation