New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open redirect vulnerability on 2FA #4307

Closed
glitch003 opened this Issue Jun 25, 2018 · 4 comments

Comments

6 participants
@glitch003

glitch003 commented Jun 25, 2018

  • Gitea version (or commit ref): 1.4.1
  • Git version: 2.17.1
  • Operating system: Ubuntu 16
  • Database (use [x]):
    • PostgreSQL
    • MySQL
    • MSSQL
    • SQLite
  • Can you reproduce the bug at https://try.gitea.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist: N/A

Description

This bug was submitted via a Bug Bounty program my company has, and I'd love to hear your thoughts on it

During the login process when the victim has entered his/her password and is then redirected to the page where he/she is told to enter his 2FA Code at this point the attacker will send a crafted link "https://try.gitea.io/user/login?redirect_to=//google.com/"

This crafted link will send this to same page he/she was viewing before and he/she will think it is a legitimate page is being loaded from "try.gitea.io"

Now they will enter there 2FA code there and will then be redirected on google.com or any other web page the attacker wants.

More info about open redirect vulnerabilities and why they're a problem:

Reproduction

You must have 2FA enabled on your account.

  1. Login at https://try.gitea.io/
  2. You will be redirected to "https://try.gitea.io/user/two_factor"
  3. Open this link "https://try.gitea.io/user/login?redirect_to=//google.com/"
  4. Enter the 2FA Code
  5. You will be redirected to google.com
@JonasFranzDEV

This comment has been minimized.

Member

JonasFranzDEV commented Jun 25, 2018

Normal login without 2FA is also affected if //example.com is used.

@glitch003

This comment has been minimized.

glitch003 commented Jun 26, 2018

Wow that was fast, thanks all!

@lunny

This comment has been minimized.

Member

lunny commented Jun 27, 2018

Thanks @cezar97

@sapk

This comment has been minimized.

Member

sapk commented Jun 28, 2018

The check introduce in #4312 should be introduce globaly in

func (ctx *Context) RedirectToFirst(location ...string) {

Or display a webpage in between the redirect that show the user he is leaving.

@ghost ghost referenced this issue Jun 28, 2018

Open

Open Redirect vulnerability on internal links #4332

1 of 7 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment