Bypass open redirect protection in microweber/microweber


Reported on

Jun 28th 2022


I could bypass the open redirect protection on the application after parsing the redirect function using the following payload\@ and the payload with the link in the following\@

note that the ip is my local server which runs the CMS.

Proof of Concept

  1. login to your account
  2. open the link with the payload\@
  3. click on Confirm and you will be redirected to

The following is the request from the page

POST /test/microweber-master/logout HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 104
Connection: close
Cookie: .....
Upgrade-Insecure-Requests: 1


The response is the following

HTTP/1.1 302 Found
Date: Tue, 28 Jun 2022 13:13:22 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
Cache-Control: no-cache, private
Set-Cookie: .....path=/; httponly; samesite=lax
Content-Length: 374
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='\@'" />

        <title>Redirecting to\@</title>
        Redirecting to <a href="\@">\@</a>.

you can notice the Location header is redirecting to


redirecting the users to other domains via the CMS trusted domain.

We are processing your report and will contact the microweber team within 24 hours. 2 years ago
We have contacted a member of the microweber team and are waiting to hear back 2 years ago
Peter Ivanov validated this vulnerability 2 years ago
flex0geek has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.19 with commit 187e94 2 years ago
Peter Ivanov has been awarded the fix bounty
to join this conversation