Open Redirect in forkcms/forkcms

Valid

Reported on

Oct 17th 2021

Description

When a user, who has access to admin page and who is not logged in, opens a page like http://forkcms.site/private/de/authentication?querystring=//google.de/ and the user enters their credentials, the user is redirected to https://google.de.

When a user, who has access to admin page and who is already logged in, opens the same page, the user will be automatically redirected to https://google.de.

There are different payloads which can be used here (listed below in the Proof of Concept part).

Proof of Concept

Open a page like this (replace forkcms.site with you own address).

http://forkcms.site/private/de/authentication?querystring=//google.de/
http://forkcms.site/private/de/authentication?querystring=/%5cgoogle.com
http://forkcms.site/private/de/authentication?querystring=//google%00.com

Impact

This way, an attacker could redirect the user to any page the attacker conrols.

References

https://www.acunetix.com/blog/web-security-zone/what-are-open-redirects/

We have contacted a member of the forkcms team and are waiting to hear back 2 years ago

Jelmer Prins validated this vulnerability 2 years ago

kstarkloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Maintainer

fix is currently in review

Jelmer Prins marked this as fixed in 5.11.1 with commit 77760a 2 years ago

Jelmer Prins has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the forkcms team and are waiting to hear back 2 years ago

Jelmer Prins validated this vulnerability 2 years ago

kstarkloff has been awarded the disclosure bounty

The fix bounty is now up for grabs

commented 2 years ago

Maintainer

fix is currently in review

Jelmer Prins marked this as fixed in 5.11.1 with commit 77760a 2 years ago

Jelmer Prins has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation