GHSL-2024-288: Open redirect in Sickchill - CVE-2024-53995

Coordinated Disclosure Timeline

• 2024-10-08: Sent report to the the maintainer’s email.
• 2024-11-05: Sent a follow up email asking for an update.
• 2024-11-08: Received an answer.
• 2024-11-18: Sent a pull request fixing GHSL-2024-288.
• 2024-12-10: The fix is merged.

Summary

Sickchill is vulnerable to an open redirect vulnerability.

Project

sickchill/sickchill

Tested Version

2024.3.1

Details

Open redirect in login (GHSL-2024-288)

The user-controlled login endpoint’s next_ parameter takes arbitrary content and is used to redirect the user to arbitrary destinations, leading to open redirect.

    def post(self, next_=None):
        notifiers.notify_login(self.request.remote_ip)
        global login_error

        if self.get_body_argument("username", None) == settings.WEB_USERNAME and self.get_body_argument("password", None) == settings.WEB_PASSWORD:
            login_error = ""
            remember_me = config.checkbox_to_value(self.get_body_argument("remember_me", "0"))
            self.set_secure_cookie("sickchill_user", settings.API_KEY, expires_days=(None, 30)[remember_me])
            logger.info(_("User logged into the SickChill web interface"))
        else:
            logger.warning(_("User attempted a failed login to the SickChill web interface from IP: ") + self.request.remote_ip)
            login_error = _("Incorrect username or password! Both username and password are case sensitive!")

        next_ = self.get_query_argument("next", next_)
        self.redirect(next_ or "/" + settings.DEFAULT_PAGE + "/")

PoC

1. Send the following request to the sickchill server. Here we assume it is running on sickchill.example and we redirect to https://wikipedia.org.

   curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: sickchill.example' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Connection: keep-alive' -H $'Content-Length: 0' \
    $'http://sickchill.example/login/?next=https://wikipedia.org'
   

Impact

This issue allows for redirecting a user to an attacker-controlled website and could be used in phishing attempts.

CVE

• CVE-2024-53995

Credit

This issue was discovered and reported by GHSL team member @sylwia-budzynska (Sylwia Budzynska).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-288 in any communication regarding this issue.