Open Redirect in mosparo/mosparo

Valid

Reported on

Sep 30th 2023

Description

There is an open redirect in the endpoint /project/switch/{project} due to the use of symfony's redirect() function from a user controlled input.

Proof of Concept

        $targetPath = $request->query->get('targetPath', false);
        if ($targetPath) {
            return $this->redirect($targetPath);
        }

http://127.0.0.1:8080/project/switch/1?targetPath=https://google.com

Impact

Open redirection attacks are most commonly used to support phishing attacks, or redirect users to malicious websites.

References

https://symfony.com/doc/4.1/routing/redirect_in_config.html#:~:text=Because%20you%20are%20redirecting%20to%20a%20route%20instead%20of%20a%20path%2C%20the%20required%20option%20is%20called%20route%20in%20the%20redirect()%20action%2C%20instead%20of%20path%20in%20the%20urlRedirect()%20action.

We are processing your report and will contact the mosparo team within 24 hours. 2 months ago

We have contacted a member of the mosparo team and are waiting to hear back 2 months ago

A mosparo/mosparo maintainer gave praise 2 months ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

A mosparo/mosparo maintainer validated this vulnerability 2 months ago

tomorrowisnew_ has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

tomorrowisnew_

commented 2 months ago

Researcher

Hi mosparo team. Could we get a cve

Matthias Zobrist Matthias

commented 2 months ago

Maintainer

@tomorrowisnew_

As far as I understand, huntr will assign the CVE automatically. We've verified the issue and can confirm it is valid.

Matthias Zobrist marked this as fixed in 1.0.2 with commit 9d5da3 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Matthias Zobrist published this vulnerability 2 months ago

tomorrowisnew_

commented 2 months ago

Researcher

Hi. @admin

Matthias Zobrist Matthias

commented 2 months ago

Maintainer

@admin Is it possible to add a CVE for it? Or what do I have to do as a maintainer so that you can add a CVE?

Ben Harvie

commented 2 months ago

Admin

I have went ahead and assigned this report a CVE as requested.

tomorrowisnew_

commented 2 months ago

Researcher

Thanks!

to join this conversation

We are processing your report and will contact the mosparo team within 24 hours. 2 months ago

We have contacted a member of the mosparo team and are waiting to hear back 2 months ago

A mosparo/mosparo maintainer gave praise 2 months ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

A mosparo/mosparo maintainer validated this vulnerability 2 months ago

tomorrowisnew_ has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

tomorrowisnew_

commented 2 months ago

Researcher

Hi mosparo team. Could we get a cve

Matthias Zobrist Matthias

commented 2 months ago

Maintainer

@tomorrowisnew_

As far as I understand, huntr will assign the CVE automatically. We've verified the issue and can confirm it is valid.

Matthias Zobrist marked this as fixed in 1.0.2 with commit 9d5da3 2 months ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

Matthias Zobrist published this vulnerability 2 months ago

tomorrowisnew_

commented 2 months ago

Researcher

Hi. @admin

Matthias Zobrist Matthias

commented 2 months ago

Maintainer

@admin Is it possible to add a CVE for it? Or what do I have to do as a maintainer so that you can add a CVE?

Ben Harvie

commented 2 months ago

Admin

I have went ahead and assigned this report a CVE as requested.

tomorrowisnew_

commented 2 months ago

Researcher

Thanks!

to join this conversation