Open Redirect in collectiveaccess/providence

Valid

Reported on

Nov 21st 2021


Description

I found a new way to bypass the Open Redirect with the "redirect" parameter on the login page.

Vulnerable parameter

redirect

Payload

https://demo.collectiveaccess.org.example.com

Proof of Concept

Send users the following login link https://demo.collectiveaccess.org/index.php/system/auth/login?redirect=https%3A%2F%2Fdemo.collectiveaccess.org.example.com
After users use their registered accounts to log in, they will be redirected to demo.collectiveaccess.org.example.com
Note that I can completely host a domain and create the subdomain like that.

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end-user into believing that a malicious URL they were redirected to is valid. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

We are processing your report and will contact the collectiveaccess/providence team within 24 hours. 13 days ago
We have contacted a member of the collectiveaccess/providence team and are waiting to hear back 12 days ago
CollectiveAccess validated this vulnerability 12 days ago
Chau Minh Khanh has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess confirmed that a fix has been merged on a45392 12 days ago
CollectiveAccess has been awarded the fix bounty
CollectiveAccess
12 days ago

Maintainer


Thanks for catching that.

Chau Minh Khanh
2 days ago

Researcher


Hi @collectiveaccess, can you review and validate my other report to you at https://huntr.dev/bounties/3bb435f9-3425-419e-b13e-d684adaa570b/? Thank you!