Summary
There exists an Open URL redirect vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, with a next query parameter of the form //evil.com. Having clicked the link and authenticated, the targeted user will then be redirected to evil.com.
After discussion with the maintainer they have discontinued the 1.x.x branch and do not intend to initiate a fix for this branch. If you are using 1.x.x please update to the 2.x branch.
Product
Orange Forum (https://github.com/s-gv/orangeforum)
Tested Version
Versions from the 1.x.x branch are affected (including the latest release, 1.4.0), master is not.
Details
The login handler tries to verify that the URL to be redirected to after a successful login is a local URL. It does so by checking whether the URL starts with a slash, which is insufficient: URLs starting with two slashes are non-local.
Impact
Information Disclosure and potential clientside exploitation.
Resources
This issue was found by GitHub’s standard Bad Redirect Check CodeQL query.
Coordinated Disclosure Timeline
- 05/29/2020: report sent to maintainer
- 06/16/2020: report acknowledged, maintainer says branch is no longer maintained and advises update to 2.x
- 08/31/2020: disclosure deadline expired
Credit
This issue was discovered and reported by GitHub team members @sauyon and @max-schaefer.
Contact
You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-126 in any communication regarding this issue.