Open Redirect in collectiveaccess/providence

Valid

Reported on

Nov 21st 2021

Description

I found a new way to bypass the Open Redirect with the "redirect" parameter on the login page.

Vulnerable parameter

redirect

Payload

https://demo.collectiveaccess.org.example.com

Proof of Concept

Send users the following login link https://demo.collectiveaccess.org/index.php/system/auth/login?redirect=https%3A%2F%2Fdemo.collectiveaccess.org.example.com
After users use their registered accounts to log in, they will be redirected to demo.collectiveaccess.org.example.com
Note that I can completely host a domain and create the subdomain like that.

Impact

This functionality is not restricted to relative URLs within the application and could be leveraged by an attacker to fool an end-user into believing that a malicious URL they were redirected to is valid. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials.

We are processing your report and will contact the collectiveaccess/providence team within 24 hours. a year ago
We have contacted a member of the collectiveaccess/providence team and are waiting to hear back a year ago
CollectiveAccess validated this vulnerability a year ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess marked this as fixed with commit a45392 a year ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
CollectiveAccess
a year ago

Maintainer

Thanks for catching that.

KhanhCM
a year ago

Researcher

Hi @collectiveaccess, can you review and validate my other report to you at https://huntr.dev/bounties/3bb435f9-3425-419e-b13e-d684adaa570b/? Thank you!

to join this conversation