skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
September 8, 2020

GHSL-2020-126: Open URL redirect in Orange Forum 1.x.x

GitHub Security Lab


There exists an Open URL redirect vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, with a next query parameter of the form // Having clicked the link and authenticated, the targeted user will then be redirected to

After discussion with the maintainer they have discontinued the 1.x.x branch and do not intend to initiate a fix for this branch. If you are using 1.x.x please update to the 2.x branch.


Orange Forum (

Tested Version

Versions from the 1.x.x branch are affected (including the latest release, 1.4.0), master is not.


The login handler tries to verify that the URL to be redirected to after a successful login is a local URL. It does so by checking whether the URL starts with a slash, which is insufficient: URLs starting with two slashes are non-local.


Information Disclosure and potential clientside exploitation.


This issue was found by GitHub’s standard Bad Redirect Check CodeQL query.

Coordinated Disclosure Timeline


This issue was discovered and reported by GitHub team members @sauyon and @max-schaefer.


You can contact the GHSL team at, please include GHSL-2020-126 in any communication regarding this issue.