Description

The Greenlight end-user interface is vulnerable to Open Redirect vulnerability in Login page due to unchecked the value of return_to cookie.

Proof of Concept

Original request example

POST /gl/u/login HTTP/1.1
Host: demo.bigbluebutton.org
Cookie: return_to=https://demo.bigbluebutton.org/gl/; _ga=GA1.2.75174201.1655862571; _gid=GA1.2.1247108436.1655862571; _gat_gtag_UA_33131630_1=1; _greenlight-2_3_session=FLsZsD9232zlyzG5gVpasMmXpeQ9bi3ofhipRGi%2BaHwAQCmSenHDKMO9DRziK2dFlplKT56UZjt%2FnCQqrrDMnAk3Y77rXNUfQjMCOV3Zedc1SMic7yuqck%2FRj7u1nkVV4xusXpjBF7LtoBAVkPQ%3D--3sRNMFDT40mbgT5E--wxoTOWme4WbMq4xhoEdKzw%3D%3D
Content-Length: 214
Cache-Control: max-age=0
Sec-Ch-Ua: "-Not.A/Brand";v="8", "Chromium";v="102"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://demo.bigbluebutton.org
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://demo.bigbluebutton.org/gl/signin
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close

utf8=%E2%9C%93&authenticity_token=vp5XaMMhuNbjkU%2BV%2FsoSbroC7OLJxnPGaMCKgmgInH5TQbQ7R50EiKWd2mR7OxCcPQYbX66jZ4xVofJwOGdGtA%3D%3D&session%5Bemail%5D=<email>&session%5Bpassword%5D=<password>&commit=Sign+in

As you can see, there is a return_to cookie in the request that will redirect user to a site in that value after user log in. If I change that cookie to another value, for example:

return_to=https://google.com

Now, forward the edited request and you will be redirected to google.com.