I have found a bypass to your Open Redirect protection based on a regexp (
|
static function manageRedirect($where) { |
).
Just follow: http://HOST/index.php?redirect=/\/example.com
The location is rewrited to /\\/example.com which actually leads to example.com (tested on Chrome and Firefox).
Patches
Fixed in 5a74983
Reference
https://offsec.almond.consulting/multiple-vulnerabilities-in-glpi.html
For more information
If you have any questions or comments about this advisory:
I have found a bypass to your Open Redirect protection based on a regexp (
glpi/inc/toolbox.class.php
Line 1840 in 66617ea
Just follow:
http://HOST/index.php?redirect=/\/example.comThe location is rewrited to /\\/example.com which actually leads to example.com (tested on Chrome and Firefox).
Patches
Fixed in 5a74983
Reference
https://offsec.almond.consulting/multiple-vulnerabilities-in-glpi.html
For more information
If you have any questions or comments about this advisory: