Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open redirect vulnerability in /user/login?redirect= #905

Closed
whiteHat001 opened this issue Jul 5, 2018 · 5 comments
Closed

Open redirect vulnerability in /user/login?redirect= #905

whiteHat001 opened this issue Jul 5, 2018 · 5 comments

Comments

@whiteHat001
Copy link

whiteHat001 commented Jul 5, 2018

Technical Details
Pagekit version: 1.0.13
Web server: Apache
Database: Mysql
PHP Version: 5.6.27
Hello, I found a open redirect vulnerability.
Detail:
After a user login ,access this url http://domain/user/login?redirect=https://www.google.com, It will redirect to google.

Author:
zhihua.yao from DBAPPSecurity

@whiteHat001
Copy link
Author

@tobbexiv ,Please look at this issue,Thanks

@malte-christian
Copy link
Contributor

Hello whiteHat001,

it is only possible to pass local paths to the redirect argument. A redirect to "https://www.google.com" dose not work for me.

For future security related issues please mail to info@pagekit.com.

Best Regards
Malte

@whiteHat001
Copy link
Author

Please use this payload :http://domain/pagekit-1.0.13/user/login?redirect=https://www.facebook.com

If you have logged in,it will be redirected to facebook.
image

@MalteScharenberg

@malte-christian
Copy link
Contributor

@whiteHat001 Open redirect dose not work for me with the payload you provided, but I identified some inputs which were able to exploit our filters. 59e99e2 fixes this.

Dose 59e99e2 also work on your system?

Thanks for reporting!

@whiteHat001
Copy link
Author

Yes,It works well for me.I can't reproduce.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants