Client-side Open Redirect in svelte template (Low)

[phavekes]

This issue is imported from pivotal

It was found that the svelte template rendered on email confirmation receives a URL from an HTTP parameter and redirects to the URL without validation. As above, the user is not sufficiently notified about what happens within the flow. However, in contrast to SC-06-001 this vulnerability does show that the user gets informed about the redirect and requires user interaction. It also lets the user know what the targeted location is by rendering an associated template variable. On the contrary, this template variable can be set through a HTTP parameter allowing an attacker to abuse this.

Affected File account-gui/src/routes/Confirm.svelte

Affected Code const proceed = () => { if (typeof window !== \'undefined\') { const urlSearchParams = new URLSearchParams(window.location.search); const redirect = decodeURIComponent(urlSearchParams.get("redirect")); window.location.href = ${redirect}?h=${urlSearchParams.get(\'h\')};

As already described in SC-06-003, it is advised to embed the exact target location within the notification. A warning that the location is external and potentially dangerous can also be a helpful indicator for the user to keep track of the current domain and the trust levels that can be allocated to it.

[phavekes]

You can just check if it\'s your own host (Thijs Kinkhorst - Feb 12, 2020)