Описание
Miniflux has an Open Redirect via protocol-relative redirect_url
Summary
redirect_url is treated as safe when url.Parse(...).IsAbs() is false. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites.
Details
url.Parse("//ikotaslabs.com")=> empty Scheme, Host="ikotaslabs.com".IsAbs()returns false for//ikotaslabs.com, so the code treats it as allowed.- Browser resolves
//ikotaslabs.comto current-origin scheme (e.g.https://ikotaslabs.com), enabling phishing flows after login.
PoC
- Send or visit:
http://localhost/login?redirect_url=//ikotaslabs.com - Complete normal login flow.
- After login the app redirects to
https://ikotaslabs.com(orhttp://depending on origin).
Acknowledgements
This vulnerability was discovered using the automated vulnerability analysis tools VulScribe and PwnML. The research and tool development were conducted with support from the MITOU Advanced Program (未踏アドバンスト事業), implemented by the Information-technology Promotion Agency (IPA), Japan.
Пакеты
miniflux.app/v2
<= 2.2.14
2.2.15
Связанные уязвимости
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below treat redirect_url as safe when url.Parse(...).IsAbs() is false, enabling phishing flows after login. Protocol-relative URLs like //ikotaslabs.com have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. This issue is fixed in version 2.2.15.
Miniflux 2 is an open source feed reader. Versions 2.2.14 and below tr ...