Open Redirect in rotheross/otobo
Reported on
Oct 5th 2021
Description
there is a open redirect vulnerability in following url :
https://demo.otobo.org/otobo/index.pl?Action=ExternalURLJump;URL=https://google.com
here after click on link the victim will be redirected to https://google.com
Occurrences
Hello, here, too - this is now my testing ground... ;)
I will fix this now - would you like to be mentioned in a certain way in the commit message, later? (And thank you, here, too, of course!)
I didn't get what you mean, but if it is should be exist just tell me what I must to do for you ?
You must do nothing, I will just fix this and push it to the otobo repository with a commit message like:
git commit -m 'Fixed an open redirect in ExternalURLJump. Thanks to amammad for disclosing it to us.'
Or similar, if you want some specific text, or don't want to be mentioned,... :)
No thanks a lot
can you just wait a while ( one week ) and then submit the reports ? because I want to investigate more on otobo and I don't want until that, these two reports get publicly available
sorry I mean "can you just wait a while ( one week ) and then submit the commit here? "
Hi amammad, actually our plan was to release a new version of OTOBO today, and as we are extremely busy with some projects atm, I will stick to that part, at least. However, I can wait for some days until I confirm the fix, here. (Out of curiosity - what do you gain from me keeping this for a while? Is there so much competition...?^^)
And does the "No thanks a lot" mean "no mention at all, please", or "nothing special, 'thanks amammad' is enough"? ;)
heheh not so much competition but a regular one :))
and yes excuse me for misunderstanding I mean this : "nothing special, 'thanks Amammad' is enough" and thanks for you too :)
Also there is no need to wait for new version because of the me or wait until the report published in Huntr.dev
I just wanted to the reports Stay hidden for a while only in Huntr, not in otobo next release.
best regards.