Open redirect vulnerability on 2FA

[glitch003]

• Gitea version (or commit ref): 1.4.1
• Git version: 2.17.1
• Operating system: Ubuntu 16
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist: N/A

Description

This bug was submitted via a Bug Bounty program my company has, and I'd love to hear your thoughts on it

During the login process when the victim has entered his/her password and is then redirected to the page where he/she is told to enter his 2FA Code at this point the attacker will send a crafted link "https://try.gitea.io/user/login?redirect_to=//google.com/"

This crafted link will send this to same page he/she was viewing before and he/she will think it is a legitimate page is being loaded from "try.gitea.io"

Now they will enter there 2FA code there and will then be redirected on google.com or any other web page the attacker wants.

More info about open redirect vulnerabilities and why they're a problem:

• http://cwe.mitre.org/data/definitions/601.html
• https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Reproduction

You must have 2FA enabled on your account.

1. Login at https://try.gitea.io/
2. You will be redirected to "https://try.gitea.io/user/two_factor"
3. Open this link "https://try.gitea.io/user/login?redirect_to=//google.com/"
4. Enter the 2FA Code
5. You will be redirected to google.com

[jonasfranz]

Normal login without 2FA is also affected if //example.com is used.

[glitch003]

Wow that was fast, thanks all!

[lunny]

Thanks @cezar97

[sapk]

The check introduce in #4312 should be introduce globaly in

gitea/modules/context/context.go

Line 80 in 7b2b900

func (ctx *Context) RedirectToFirst(location ...string) {

Or display a webpage in between the redirect that show the user he is leaving.