Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] [XBOW-025-006] Stored Open Redirect via URL Shortener in Graphite 1.1.10 #2872

Open
xbow-security opened this issue Jan 24, 2025 · 0 comments
Open

[BUG] [XBOW-025-006] Stored Open Redirect via URL Shortener in Graphite 1.1.10 #2872

xbow-security opened this issue Jan 24, 2025 · 0 comments
Labels
bug

Comments

@xbow-security
Copy link

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

The URL shortener component in Graphite 1.1.10 contains an open redirect vulnerability in its URL following functionality. The issue occurs in the follow() function of the URL shortener module, which performs URL redirection based on shortened URLs without proper validation of the destination URL.

When processing a shortened URL through the /S/<link_id> endpoint, the application concatenates the stored URL path directly with the result of reverse('browser') without proper validation or sanitization. This allows an attacker to craft special URLs that, when shortened and followed, will redirect to arbitrary external domains.

This type of vulnerability can be used in phishing attacks where the attacker creates a malicious URL that appears legitimate because it originates from the trusted Graphite domain. The redirection can then lead users to malicious websites while appearing to come from a trusted source.

Steps to Reproduce

  1. Create a shortened URL using a specially crafted path:

    GET /s///evil.com

  2. The application will respond with a shortened URL path (e.g., /S/B).

  3. Access the shortened URL:

    GET /S/B

  4. Observe that the application redirects to the external domain (http://evil.com/).

When these steps are followed, the application will redirect users to the arbitrary external domain specified in the crafted URL. This occurs because the URL shortener's follow function concatenates paths without proper validation of the resulting URL.

Mitigations

  • Implement proper URL validation to ensure redirects only go to trusted domains or relative paths within the application.
  • Use a whitelist of allowed domains and validate all redirect destinations against this list.
  • Instead of direct URL concatenation, implement a safe URL construction method that prevents path traversal and protocol-relative URL attacks.
  • Consider implementing a warning page for external redirects to alert users when they are leaving the trusted domain.

Impact

The vulnerability requires no authentication and can be exploited by anyone who can create shortened URLs in the application. The impact is moderate as it allows attackers to redirect users to arbitrary external domains, which could be used in phishing attacks or to bypass security controls that rely on trusted domain origins.

Disclosure Policy

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xbow-security