Open Redirect on follow/unfollow user's profile action in go-gitea/gitea
Reported on
Jun 7th 2023
Description
The idea is similar to CVE-2022-1058 ( https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ ).
Browsers interpreted \\example.com -> https://example.com and lead to open redirect
Proof of Concept
The vulnerable API is lie in follow/unfollow action on user's profile.
In order to quickly reproduce the bug:
- Click on any User Profile
- Click Follow/Unfollow
- Intercept API calls with burp
Vulnerable parameter: redirect_to
POST /admin123?action=follow&redirect_to=\\example.com HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: null
Connection: close
Cookie: i_like_gitea=7c60991704df67dd; lang=en-US; _csrf=kxOfYgnfpMMIT6mWaCfzPYRHdI46MTY4NjA0MjMxNDcwMTE0ODY5OQ
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
_csrf=kxOfYgnfpMMIT6mWaCfzPYRHdI46MTY4NjA0MjMxNDcwMTE0ODY5OQ
Response from server:
HTTP/1.1 302 Found
Location: /\\example.com
Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Date: Wed, 07 Jun 2023 07:32:30 GMT
Content-Length: 0
Connection: close
Following a successful POST request will redirect user back to example.com . Location header will be set to /\\example.com and will be interpreted by the browser as a redirect to //example.com
Impact
This is most likely a post-auth redirect plus it is a POST based request scenario so less likely that can be exploited or chained with other bugs that can cause phishing or stealing credentails.
@admin Hi huntrdev admin, Can I ask have you made contacted with the repo maintainers ?
I have updated CVSS complexity to high as while redirect URL parameter is not checked correctly, I see no way this can be abused in any way because of other security measures already in place, For higher CVSS PoC would need to be provided on how this can be abused without intercepting request and modifying it manually
Hey @Lauris BH, you were right about the complexity. Currently there is no way that this can be abused or turned into a GET based open redirect, so the complexity will be high. Thanks for your correction
@Quang Vo I have already submitted patch https://github.com/go-gitea/gitea/pull/25143
Hi @Lauris BH , I saw that haha. Out of curiosity question, will there be any CVE for this vulnerability ?. I understand that the severity is low, just asking to understand how this platform and how the process work
I believe huntr.dev requests CVEs for accepted issues published through their platform
I think huntr.dev will assign CVE for this, we are still in process to become aCNA to manage CVE's for Gitea ourselfs
Ahh okay thanks a lot guys. I guess I'll hear from huntr.dev @admin soon. It's been a pleasure working with you guys
Hi, the CVE will be assigned and published on July 8th 2023 when this report goes live:)