oss-sec mailing list archives
Re: Open Redirect in Tiny Tiny RSS (tt-rss)
From: Mark Steward <marksteward () gmail com>
Date: Sun, 3 Mar 2019 16:58:48 +0000
This fix isn't sufficient - there are URLs that browsers process that don't have a host when passed through parse_url. Mark On Sun, Mar 3, 2019 at 4:32 PM Hanno Böck <hanno () hboeck de> wrote:
Hi, Via my personal Bug Bounty program on hackerone I got a report about an open redirect in a publicly accessible instance of Tiny Tiny RSS I have running on a subdomain. I'm aware that whether open redirects are vulnerabilities is debatable (which is also reflected in the discussion with tt-rss, but they fixed it nevertheless). PoC: https://[hostname]/public.php?return=http%3a%2f%2fevil.com%2f&op=login&login=password=&profile=0 Report to tt-rss developers: https://discourse.tt-rss.org/t/open-redirect-via-public-php/2077 Fix: https://git.tt-rss.org/fox/tt-rss/commit/c68ac04020d85a296c784de18f8def3f365f9f6a This was reported by Mariia Aleksandrova (zophi), I just forwarded the report to the tt-rss developers. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- Open Redirect in Tiny Tiny RSS (tt-rss) Hanno Böck (Mar 03)
- Re: Open Redirect in Tiny Tiny RSS (tt-rss) Mark Steward (Mar 03)