Cross-site scripting and open redirect vulnerability on Rock RMS Login Page in sparkdevnetwork/rock
May 12th 2022
The Rock RMS login page has a
returnUrl parameter that is used to set
returnUrl parameter to a malicious URL.
Proof of Concept
An alert box should be displayed, demonstrating that a malicious JS payload is executed.
To demonstrate the open redirect vulnerability, navigate to this PoC link on the demo login page and login using the demo credentials: https://rock.rocksolidchurchdemo.com/page/3?returnurl=https%253A%252F%252Fgoogle.com
You should be redirected to google.com, rather than the appropriate Rock RMS dashboard page.
It is possible to force a user to perform actions on their behalf, deface the website, or redirect the user to a malicious website. An attacker can also try to steal the user's credentials by redirecting them to a website that the attacker has hosted, that appears to be the Rock login page, and then capturing their credentials, or the attacker can steal the credentials directly from the legitimate Rock website if the session cookie/token is not appropriately protected.