Open redirect in switch account functionality
Low
R
Revive Adserver
Submitted None
Team Summary
Official summary from Revive Adserver
A user having access to the UI of a Revive Adserver instance could be tricked into clicking on a specifically crafted admin `account-switch.php` URL that would eventually lead them to another (unsafe) domain, potentially used for stealing credentials or other phishing attacks.
Actions:
Reported by
sumni
Vulnerability Details
Technical details and impact analysis
To reproduce this vulnerability:
1. You have to be logged in user
2. Enter address: http://<your_local_installation>/www/admin/account-switch.php?return_url=http://127.0.0.1:12345/test
This is due to unrestricted redirection url passed in in the `return_url` parameter. I would recommend to use some kind of whitelisting or a check if you are redirecting to the same domain you were before.
## Impact
This kind of open redirect vulnerabilities are used in fishing campaigns. I assume that in this case a support request containing a crafted url would have a higher chances of success. For additional malicious url obfuscation you can:
- add some unused parameters that would suggest identifiers of campaigns, other accounts and other revive specific information
- register a domain name similar to the attacked one
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Open Redirect