[Vulnerability] Cross site scripting (XSS) and Open Redirect on the login page

[catmandx]

Description

The login page is vulnerable to open redirect and XSS attacks. An attacker can craft a seemingly valid URL and then trick the admin into clicking, after the admin authenticates the payload will run, which will :

1. Redirect the browser to any URL the attacker chooses. This can lead to phishing and credential theft.
2. Run javascript code inside the admin's browser. This can lead to unauthorized actions being performed, including but not limited to:
   a. Create a new webui user with admin privileges, which can be used to takeover the entire application.
   b. Create new clients, exfiltrate existing client config and send to attacker. This can lead to exposure of private network/servers, enabling further exploitation.

Cause

The function redirectNext in login.html does not check the value of 'next' parameters before redirecting:

    function redirectNext() {
        const urlParams = new URLSearchParams(window.location.search);
        const nextURL = urlParams.get('next');
        if (nextURL) {
            window.location.href = nextURL;
        } else {
            window.location.href = '/{{.basePath}}';
        } 
    }

Steps to reproduce

1. Open redirect
   Login URL: https://example.com:5000/login?next=/

Change the 'next' parameter to any url:
https://example.com:5000/login?next=https://malicious.domain

After logging in the user will be redirected to the malicious domain.

2. Cross site scripting:
   Change the 'next' parameter to:

javascript:alert(1)

Screenshot

The fix

Check if the 'next' param is just a singular slash (/) or starts with a slash and a character. This will prevent payloads like these:

javascript:alert(1)
https://google.com
//google.com

[ngoduykhanh]

Thanks @catmandx for reporting and fixing the issue. Merging it.