New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open redirect vulnerability on 2FA #4307

glitch003 opened this Issue Jun 25, 2018 · 4 comments


6 participants

glitch003 commented Jun 25, 2018

  • Gitea version (or commit ref): 1.4.1
  • Git version: 2.17.1
  • Operating system: Ubuntu 16
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist: N/A


This bug was submitted via a Bug Bounty program my company has, and I'd love to hear your thoughts on it

During the login process when the victim has entered his/her password and is then redirected to the page where he/she is told to enter his 2FA Code at this point the attacker will send a crafted link ""

This crafted link will send this to same page he/she was viewing before and he/she will think it is a legitimate page is being loaded from ""

Now they will enter there 2FA code there and will then be redirected on or any other web page the attacker wants.

More info about open redirect vulnerabilities and why they're a problem:


You must have 2FA enabled on your account.

  1. Login at
  2. You will be redirected to ""
  3. Open this link ""
  4. Enter the 2FA Code
  5. You will be redirected to

This comment has been minimized.


JonasFranzDEV commented Jun 25, 2018

Normal login without 2FA is also affected if // is used.


This comment has been minimized.

glitch003 commented Jun 26, 2018

Wow that was fast, thanks all!


This comment has been minimized.


lunny commented Jun 27, 2018

Thanks @cezar97


This comment has been minimized.


sapk commented Jun 28, 2018

The check introduce in #4312 should be introduce globaly in

func (ctx *Context) RedirectToFirst(location ...string) {

Or display a webpage in between the redirect that show the user he is leaving.

@ghost ghost referenced this issue Jun 28, 2018


Open Redirect vulnerability on internal links #4332

1 of 7 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment