Open Redirect

2023-09-3011:50:40

tomorroisnew

www.huntr.dev

open redirect

project switch endpoint

symfony function

user-controlled input

bug bounty

EPSS

0.001

Percentile

42.3%

JSON

Description

There is an open redirect in the endpoint /project/switch/{project} due to the use of symfony’s redirect() function from a user controlled input.

Proof of Concept

        $targetPath = $request-&gt;query-&gt;get('targetPath', false);
        if ($targetPath) {
            return $this-&gt;redirect($targetPath);
        }

http://127.0.0.1:8080/project/switch/1?targetPath=https://google.com

References

symfony.com/doc/4.1/routing/redirect_in_config.html#:~:text=Because%20you%20are%20redirecting%20to%20a%20route%20instead%20of%20a%20path%2C%20the%20required%20option%20is%20called%20route%20in%20the%20redirect()%20action%2C%20instead%20of%20path%20in%20the%20urlRedirect()%20action.

EPSS

0.001

Percentile

42.3%

JSON

Related for 3FA2ABDE-CB58-45A3-A115-1727ECE9ACB9