search

kohler / hotcrp

HotCRP conference review software
http://read.seas.harvard.edu/~kohler/hotcrp
Other
321 stars 109 forks source link

[Security] Open redirect vulnerability on at least the signin page #330

Closed tuxwielder closed 6 months ago

tuxwielder commented 6 months ago

Through our responsible disclosure program we are alerted to an open redirect vulnerability on our HotCRP-instance. This issue is also present in the upstream test environment. When logged in, the following redirect is successful:

https://test.hotcrp.com/signin?redirect=https://bing.com

Seems like an issue that needs hardening.

With kind regards,

kohler commented 6 months ago

What bad thing will happen as a result of this so-called vulnerability? None of HotCRP's cookies or private information will be passed to bing.

kohler commented 6 months ago

More specifically, in a classical open-redirect vulnerability, the site redirects to an external SPOOF login page which can steal user credentials. In HotCRP the redirection is happening after signin. I guess the idea is the user might enter their signin credentials again or something?

tuxwielder commented 6 months ago

Hi Eddie,

I'll cite the reporter:

" Impact One of the main uses for this vulnerability is to make phishing attacks more credible and effective. When an Open Redirect is used in a phishing attack, the victim receives an email that looks legitimate with a link that points to a correct and expected domain. more info refer https://cwe.mitre.org/data/definitions/601.html "

With kind regards,

Jeroen

On 14/12/2023 15:47, Eddie Kohler wrote:

More specifically, in a classical open-redirect vulnerability, the site redirects to an external SPOOF login page which can steal user credentials. In HotCRP the redirection is happening /after/ signin. I guess the idea is the user might enter their signin credentials again or something?

— Reply to this email directly, view it on GitHub <https://github.com/kohler/hotcrp/issues/330#issuecomment-1855985791 You are receiving this because you authored the thread.Message ID: @.***>

-- CERT-UvA -- CERT University of Amsterdam Jeroen Roodhart email: @.*** https://extranet.uva.nl/en/content/a-z/cert-uva/cert-uva.html phone: +31 20 525 3322 attended 24/7

kohler commented 6 months ago

This is addressed in a80cfebf95c5220d5d0c54b0d4498c8124f8277c and prior commits, thanks for reporting it.