Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Faux positif dans le module open redirect #512

Open
devl00p opened this issue Oct 17, 2023 · 0 comments
Open

Faux positif dans le module open redirect #512

devl00p opened this issue Oct 17, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@devl00p
Copy link
Contributor

devl00p commented Oct 17, 2023

Sur le plugin wordpress comments-link-optimization

Vulnérabilité remontée:

    "Open Redirect": [
      {
        "method": "GET",
        "path": "/",
        "info": "Open Redirect via injection in the parameter r",
        "level": 1,
        "parameter": "r",
        "referer": "",
        "module": "redirect",
        "http_request": "GET /?r=https%3A%2F%2Fopenbugbounty.org%2F HTTP/1.1\nhost: localhost:8000\nconnection: keep-alive\nuser-agent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0\naccept-
language: en-US\naccept-encoding: gzip, deflate, br\naccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\ncookie: comment_author_70490311fe7c84acda8886406a6d884b=default; comment_
author_email_70490311fe7c84acda8886406a6d884b=wapiti2021%40mailinator.com; comment_author_url_70490311fe7c84acda8886406a6d884b=https%3A%2F%2Fwapiti-scanner.github.io%2F; wordpress_test_cookie=WP%20Cookie%20chec
k",
        "curl_command": "curl \"http://localhost:8000/?r=https%3A%2F%2Fopenbugbounty.org%2F\"",
        "wstg": [
          "WSTG-CLNT-04"
        ]
      },

mais en regardant le code HTMLet les entêtes on voit que ce n'est pas le cas:

HTTP/1.1 200 OK
Date: Tue, 17 Oct 2023 20:05:19 GMT
Server: Apache/2.4.56 (Debian)
X-Powered-By: PHP/8.0.30
Vary: Accept-Encoding
Content-Length: 1163
Content-Type: text/html; charset=UTF-8

<html>
<head>
        <meta name="robots" content="noindex, nofollow">
        <meta http-equiv="content-type" content="text/html; charset=UTF-8">
        <title>Redirecting</title>
        <style type="text/css">
                body,td,div,.p,a{font-family:arial,sans-serif}
                div,td{color:#000}
                .f{color:#6f6f6f}
                a:link{color:#00c}
                a:visited{color:#551a8b}
                a:active{color:red}
                div.a{border-top:1px solid #bbb;border-bottom:1px solid #bbb;background:#f2f2f2;margin-top:1em;width:100%}
                div.b{padding:0.5em 0;margin-left:10px}
                div.c{margin-top:35px;margin-left:35px}
        </style>
        <script type="text/javascript">
                function goback() {window.history.go(-1);return false;}
                setTimeout(function(){window.location.href="https://openbugbounty.org/";},3000);
        </script>
</head>
<body topmargin=3 bgcolor=#ffffff marginheight=3>
<div class=a><div class=b><font size=+1><b>Redirecting</b></font></div></div><div class=c>&nbsp;The page will jump to <a href="https://openbugbounty.org/">https://openbugbounty.org/</a> after 3 seconds.
<br><br>&nbsp;If you do not want to visit the page, you can <a href="#" onclick="return goback();"> return to the previous page </a> .<br><br><br></div>
</body>

Le module a du détecter le contrôle sur window.location.href mais n'a pas pris en compte la présence de setTimeout qui est sans doute un bon indicateur que la redirection n'est pas immédiate (alors que le type de vulnérabilité l'entend)
@devl00p devl00p added the bug Something isn't working label Oct 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@devl00p