Open Redirect in archivy/archivy
Feb 16th 2022
The application doesn't check the target website before redirecting leads to Open Redirect vulnerability.
Proof of Concept
Install local service for testing
- Step 1: Go to http://127.0.0.1:5000/login?next=%2F%2fevil.com
- Step 2: Enter valid credential, you will be redirect to evil.com
- PoC: https://drive.google.com/file/d/1mwGtImU2srYZ_3FlHQBrAJFzt3PyZQzM
Attackers can redirect users to any website and perform phishing attacks.