Open Redirect in sbrl/pepperminty-wiki

Valid

Reported on

Sep 29th 2021


Description

I saw this report

https://huntr.dev/bounties/89f222e4-2aaa-44f8-8b24-657d3a0e741f/

and this fix commit :

https://github.com/sbrl/Pepperminty-Wiki/blob/f59e68127cb4147e49f9453e1f657cc24972fda5/modules/page-login.php#L167

and I find out that you never use the new $returnto_redirect parameter and I think you should replace it with $_GET["returnto"] in following line of code :

https://github.com/sbrl/Pepperminty-Wiki/blob/f59e68127cb4147e49f9453e1f657cc24972fda5/modules/page-login.php#L167

We have contacted a member of the sbrl/pepperminty-wiki team and are waiting to hear back a year ago
Starbeamrainbowlabs
a year ago

Maintainer


Hey there! I spotted the same mistake, and fixed it in https://github.com/sbrl/Pepperminty-Wiki/commit/7cf545a3caf50a5fa1cfc0df871933f02bf3dcd8

Starbeamrainbowlabs validated this vulnerability a year ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
Starbeamrainbowlabs confirmed that a fix has been merged on 7cf545 a year ago
The fix bounty has been dropped
page-login.php#L167 has been validated
amammad
a year ago

Researcher


why the bounty amount is 2$ my dear ? is it a mistake or somethings else ?

Starbeamrainbowlabs
a year ago

Maintainer


It asked me to set a bounty, but I got confused @amammad

I didn't realise this site required me to pay a bounty

I'm just a PhD student at university, I can't afford to pay any bounties, sorry

amammad
a year ago

Researcher


No my dear :) you wrong

Huntr.dev give all repositories on GitHub ( just those one that have good score ) 250$ - 500$ budget every month and they want just ask you to manage the whole your repository budget with selecting how much that you want to give us ( bug hunters ) from The budget

@admin can I ask you change the state of this report to Pending ?

amammad
a year ago

Researcher


Then you don't need to pay any bounty with your money.

Jamie Slome
a year ago

Admin


@maintainer - huntr.dev pays for all bounties. You do not need to pay for it yourself.

amammad
a year ago

Researcher


hey maintainer can I ask you to give me some feedback according to previous comments?

you just ask the admin to increase the bounty

Starbeamrainbowlabs
a year ago

Maintainer


I don't understand this site

I fixed the vulnerability?

How am I supposed to know how much it's worth

I'm just an open source maintainer doing something cool in my spare time

Managing some mystery budget I don't understand where its coming from is too stressful.

I can't do this

amammad
a year ago

Researcher


Hey man OK, I understand you situation....

there isn't any force or somethings like that.

@admin can I ask you to talk with him please ?

Jamie Slome
a year ago

Admin


@sbrl - we apologize for any confusion here.

We have seen that maintainers have had some difficulties using the new prize selection feature, and so will be looking to address this shortly.

We allot $250 of security research funding to any repository/maintainer that joins our platform. With regards to understanding how much to value a report at, it is completely up to the maintainer. If you believe a report to be high severity or serious impact, you can reward higher, otherwise lower.

All this said, we appreciate your feedback, and it has been shared with the team internally.

amammad
a year ago

Researcher


@admin can i ask you to fill the bounty please?

Jamie Slome
a year ago

Admin


@amammad - if the maintainer confirms they are happy, we can give the full reward.

amammad
a year ago

Researcher


@maintainer

huntr platfrom working near two years and I personally get paid from them in last three month

they pay both of us bounty thats mean also you get the bounty too

Many big repositories participate in this palrform without even a little problem

please dont have any worries and there isnt absolutely any stressful situation

make me happy and request admin to make the reward more that before

Starbeamrainbowlabs
a year ago

Maintainer


They can set the reward to whatever is fair. I have no idea how much a vulnerability is worth

I'm still not convinced actually that this website is actually legit considering I got an email in my inbox one day about it

amammad
a year ago

Researcher


@admin can i ask you to fill the bounty to 25$ thanks.

@maintainer I really sont understand your worries as i and many maintainers get paids for at least one year in this platform.

Jamie Slome
a year ago

Admin


I updated the disclosure bounty back to $25 🎊

to join this conversation