September 8, 2020

GHSL-2020-126: Open URL redirect in Orange Forum 1.x.x

GitHub Security Lab Team

Summary

There exists an Open URL redirect vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, with a next query parameter of the form //evil.com. Having clicked the link and authenticated, the targeted user will then be redirected to evil.com.

After discussion with the maintainer they have discontinued the 1.x.x branch and do not intend to initiate a fix for this branch. If you are using 1.x.x please update to the 2.x branch.

Product

Orange Forum (https://github.com/s-gv/orangeforum)

Tested Version

Versions from the 1.x.x branch are affected (including the latest release, 1.4.0), master is not.

Details

The login handler tries to verify that the URL to be redirected to after a successful login is a local URL. It does so by checking whether the URL starts with a slash, which is insufficient: URLs starting with two slashes are non-local.

Impact

Information Disclosure and potential clientside exploitation.

Resources

This issue was found by GitHub's standard Bad Redirect Check CodeQL query. It doesn't show up on LGTM.com because the vulnerability only exists on a (non-master) branch.

Coordinated Disclosure Timeline

  • 05/29/2020: report sent to maintainer
  • 06/16/2020: report acknowledged, maintainer says branch is no longer maintained and advises update to 2.x
  • 08/31/2020: disclosure deadline expired

Credit

This issue was discovered and reported by GitHub team members @sauyon and @max-schaefer.

Contact

You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-126 in any communication regarding this issue.