GHSL-2022-138: open redirect in lorawan stack - CVE-2023-26494

Coordinated Disclosure Timeline

• 2023-01-11: Security Report Submitted Via The Things Network Website
• 2023-02-12: Vulnerability Acknowledged
• 2023-02-13: Vulnerability Patched in v3.24.1
• 2023-03-14: Assigned CVE-2023-26494

Summary

An open redirect exists on the login page of the lorawan stack server, allowing an attacker to supply a user controlled redirect upon sign in.

Product

lorawan-stack

Tested Version

v3.23.1

Details

Upon successful login on the /oauth/login and /oauth/token-login endpoints, the user is directed to the value of the n parameter by assigning n’s value to window.location.

Issue: Open Redirect (GHSL-2022-138)

An Open Redirect vulnerability exists in the /oauth/login and /oauth/token-login endpoints.

const url = (location, omitQuery = false) => {
  const query = Query.parse(location.search)

  const next = query.n || appRoot

  if (omitQuery) {
    return next.split('?')[0]
  }

  return next
}

Proof Of Concept

1. Ensure you are logged out from lorawan stack.
2. Log into lorawan stack using http://server/oauth/login?n=https://maliciousdomain.com, where the value of n represents the domain you wish to redirect to.

Impact

This issue may allows malicious actors to phish users, as users assume they were redirected to the homepage on login.

Resources

https://learn.snyk.io/lessons/open-redirect/javascript/

CVE

• CVE-2023-26494

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-138 in any communication regarding this issue.