protocol & Ports are not shown in third-party site redirect warning page
State Resolved (Closed)
Disclosed publicly 2019-01-11T13:39:12.445Z
Reported To
Weakness Open Redirect
Bounty $100
Collapse


Timeline
submitted a report to SEMrush .
2018-12-09T10:06:59.338Z

Summary:
protocol & Ports are not shown in third-party site redirect warning page

Vulnerable Endpoint :- https://www.semrush.com/redirect?url=ftp://evil.com:1337

Description:
I noticed #311330 this report where you guys fixed a open redirect report by adding a external third-party site redirect warning page . It was a great fix . Although a issue caught in my eye . Urls contains a protocol and Ports . If I add a url with any other protocol like ftp:// then it's not shown in the external warning page what can be used to take a user to any other place then user expected to go .

Browsers Verified In:

<a href="ftp://evil.com:1337" id="js-site-link" class="site_link" data-test-site-link="">
Go to site </a>

Supporting Material/References:

Impact

I noticed in url= parameter many protocols can be used . Like I can use vnc:// protocol and on my mac os if I visit https://www.semrush.com/redirect?url=ftp://evil.com:1337 and click on Go to site then it will open my mac environment's default VNC app like below screenshot :-

So while user may think they will visit a site but actually they will request to a site with a protocol what may take them to anything else .

FIX :-

I can suggest 2 possible fix here :-

  • Show the protocol & Ports of the inputted url in the Warning page .
  • Or only allow users to add HTTP & HTTPS protocol .

Thanks .

Regards,
Frans

slowstock Activities::Comment
2018-12-09T11:45:58.713Z
Thanks for the report, we will investigate this.


prial261 Activities::Comment
2018-12-09T13:32:45.722Z
Great . Take your time . For your information Hackerone uses same type of external warning page . But they show the protocol of the url on the page like below screenshot :- {F387773}


slowstock Activities::Comment
2018-12-10T10:44:52.362Z
Thanks for the report, we will investigate this.


slowstock Activities::BugTriaged
2018-12-12T13:14:29.118Z


slowstock Activities::Comment
2018-12-12T13:39:10.179Z
Could you please check the fix?


prial261 Activities::Comment
2018-12-12T13:42:40.763Z
Great fix :D Now only HTTP & HTTPS allowed on the endpoint .


slowstock Activities::BugResolved
2018-12-12T14:31:51.478Z
I'll tell the dev team that you liked the fix ;) Thank you for the report again! Decision about the bounty💰💰💰 will be made little bit later.


prial261 Activities::AgreedOnGoingPublic
2018-12-12T14:38:03.574Z
Great . Till that we can go for public disclosure ?


prial261 Activities::Comment
2018-12-15T13:35:51.429Z
@slowstock , Accept public disclosure ?


slowstock Activities::Comment
2018-12-15T14:05:50.189Z
Hi! Actually I need some time to discuss it with my team. Sorry for the delay!


prial261 Activities::Comment
2019-01-04T14:49:43.731Z
Automatic disclosure scheduled . Take a look .


Activities::BountyAwarded
2019-01-11T13:28:59.798Z
Thanks for making our service safer!


slowstock Activities::AgreedOnGoingPublic
2019-01-11T13:39:12.383Z


slowstock Activities::ReportBecamePublic
2019-01-11T13:39:12.469Z