Created
August 22, 2024 14:08
-
-
Save Letm3through/1c7a422aa93b587fe63254e06b7f2977 to your computer and use it in GitHub Desktop.
Revisions
-
Letm3through created this gist
Aug 22, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,34 @@ # CVE-2024-39097: Open Redirect Bypass via `//` **Discovered by:** letm3through (Ahn TaeGyu) ## Description There is an Open Redirect vulnerability in Gnuboard v6.0.4 and below via the `url` parameter in login path. - **Vulnerability Type:** CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - **CVE Impact Other:** Phishing via URL Redirection to Untrusted Site ('Open Redirect') - **Attack Type:** Remote ## Affected Product - **Name of affected Product:** gnuboard 6 - **Affected version**: =< 6.0.4 - **Affected Product Code Base:** Gnuboard version 6.0.4 and below are affected - Fixed in version 6.0.5 ## Affected Component - **Component:** Login Path of Gnuboard 6 - **Affected source code:** [dependencies.py](https://github.com/gnuboard/g6/blob/fcd8dc7c42181fa95c1d64f688f6a720902d473e/lib/dependency/dependencies.py#L259-L270) - **Issue provided with fix PR:** https://github.com/gnuboard/g6/issues/582 ## Attack Vectors `url` parameter is vulnerable to open redirect despite having a filter logic. The filter logic can be easily bypassed with double slashes `//` as below PoC. PoC: ``` http://[DOMAIN]/bbs/login?url=//example.com ``` ## Reference - https://github.com/gnuboard/g6/issues/582