Open Redirect in collectiveaccess/providence

Valid

Reported on

Nov 21st 2021


Description

I found a new way to bypass the Open Redirect with the "redirect" parameter on the login page.

Vulnerable parameter

redirect

Payload

https://demo.collectiveaccess.org.example.com

Proof of Concept

Send users the following login link https://demo.collectiveaccess.org/index.php/system/auth/login?redirect=https%3A%2F%2Fdemo.collectiveaccess.org.example.com
After users use their registered accounts to log in, they will be redirected to demo.collectiveaccess.org.example.com
Note that I can completely host a domain and create the subdomain like that.

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end-user into believing that a malicious URL they were redirected to is valid. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

We are processing your report and will contact the collectiveaccess/providence team within 24 hours. 7 days ago
We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 6 days ago
CollectiveAccess validated this vulnerability 6 days ago
Chau Minh Khanh has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on a45392 6 days ago
CollectiveAccess has been awarded the fix bounty
CollectiveAccess
6 days ago

Maintainer


Thanks for catching that.