Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

URL open redirect leads to phishing attacks #4061

Closed
naivekun opened this issue Apr 24, 2020 · 5 comments
Closed

URL open redirect leads to phishing attacks #4061

naivekun opened this issue Apr 24, 2020 · 5 comments
Assignees
Labels
cleanup Low impact changes
Milestone

Comments

@naivekun
Copy link

naivekun commented Apr 24, 2020

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

[x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md

[x] I have searched the existing issues and I'm convinced that mine is new.

Describe the bug
Redirect URL in login page was not filtered and can redirect user to any website.
Attackers can send a URL like https://<FIREWALL_IP>/?url=http://phishing-site.com/ to firewall user. If user enter the credential and login, he will be redirected to malicious page

To Reproduce
Steps to reproduce the behavior:

  1. Access https://<FIREWALL_IP>/?url=http://example.com
  2. Enter the credential.
  3. User was redirected to http://example.com

Environment
OPNsense 20.1-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.1.1d 10 Sep 2019

@naivekun
Copy link
Author

header(url_safe("Location: {$_GET['url']}"));

@fichtner
Copy link
Member

fichtner commented Apr 24, 2020 via email

@naivekun
Copy link
Author

Malicious URL itself does not starts with "http://<REAL_IP_ADDRESS>". I'll give you an example.
If someone send you a link like "http://192.168.1.1/?url=http://bit.ly/xxxxx", "192.168.1.1" makes user feel safe instead of "http://bit.ly/xxxxx" and users are more likely to click a URL contains a trusted domain or IP address.
referrer: https://cwe.mitre.org/data/definitions/601.html

@naivekun
Copy link
Author

Another reasonable payload is like http://192.168.1.1/?url=http://csrf_token_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.hacker.com which is more easily to obfuscate user. csrf_token_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX is a fake subdomain of hacker.com.

@AdSchellevis AdSchellevis self-assigned this Apr 26, 2020
@AdSchellevis AdSchellevis added the cleanup Low impact changes label Apr 26, 2020
@AdSchellevis
Copy link
Member

0d07fae should prevent off site redirects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cleanup Low impact changes
Development

No branches or pull requests

3 participants