Re: Open Redirect in Tiny Tiny RSS (tt-rss)

[Mark Steward <marksteward () gmail com>]

This fix isn't sufficient - there are URLs that browsers process that
don't have a host when passed through parse_url.


Mark

On Sun, Mar 3, 2019 at 4:32 PM Hanno Böck <hanno () hboeck de> wrote:
> Hi,
>
> Via my personal Bug Bounty program on hackerone I got a report about an
> open redirect in a publicly accessible instance of Tiny Tiny RSS I have
> running on a subdomain.
>
> I'm aware that whether open redirects are vulnerabilities is debatable
> (which is also reflected in the discussion with tt-rss, but they fixed
> it nevertheless).
>
> PoC:
> https://[hostname]/public.php?return=http%3a%2f%2fevil.com%2f&op=login&login=password=&profile=0
>
> Report to tt-rss developers:
> https://discourse.tt-rss.org/t/open-redirect-via-public-php/2077
> Fix:
> https://git.tt-rss.org/fox/tt-rss/commit/c68ac04020d85a296c784de18f8def3f365f9f6a
>
> This was reported by Mariia Aleksandrova (zophi), I just forwarded the
> report to the tt-rss developers.
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: hanno () hboeck de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42