Vulnerability

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Summary

The login page URL can include a url parameter, and after authentication, users will be redirected to this URL. If an attacker provides a url pointing to a phishing or other malicious website, users will be redirected there after logging in.

Details

Taint source

GET /bbs/login

On the login page, the view passes the url parameter from the URL to the template. When the template renders the page, it fills this url into an input field in the form. When users POST login data (i.e., POST /bbs/login), upon successful authentication, they will be redirected to the url value from the form.

Taint sink

POST /bbs/login

POC

For example, if the BBS website is at 127.0.0.1:8000, requesting http://127.0.0.1:8000/bbs/login?url=http://google.com will cause the browser to open the Google homepage after successful authentication.