[XBOW-025-012] Open Redirect Vulnerability in Privacy Agreement Handling in WikiDocs Project

[xbow-security]

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

The WikiDocs application contains an open redirect vulnerability in its privacy agreement handling functionality. The vulnerability exists in the privacyAgreement() method of the Session class, where the application performs an unvalidated redirect using the 'doc' parameter combined with the privacy setting update.

The application concatenates the PATH and DOC constants to form a redirect URL without proper validation. Since DOC is derived from the $_GET['doc'] parameter, an attacker can manipulate this parameter to force a redirect to an arbitrary domain by using protocol-relative URLs (URLs starting with //). The lack of proper URL validation and sanitization in this process allows an attacker to redirect users to malicious websites.

Steps to reproduce

1. Access the WikiDocs application.
2. Craft a malicious URL using the privacy and doc parameters:

   http://target-application/index.php?privacy=1&doc=//evil.com
   

3. When a user visits this URL, they will be redirected to evil.com instead of staying within the application's domain.

The final outcome of this exploitation is that any user visiting the crafted URL will be automatically redirected to the attacker-controlled domain. This happens because the application concatenates the PATH constant with the attacker-controlled DOC parameter without proper validation, and the use of a protocol-relative URL (starting with //) causes the browser to maintain the current protocol while switching to the attacker's domain.

Mitigations

• Implement strict URL validation that only allows redirects to trusted domains or relative paths within the application.
• Use a whitelist of allowed domains or paths for redirects rather than accepting arbitrary URLs from user input.
• Implement URL sanitization that strips or encodes potentially dangerous URL components.
• Consider using relative URLs for internal redirects instead of allowing full URLs in redirect parameters.

Impact

This vulnerability has a medium severity impact as it requires no special privileges to exploit and can be used to redirect users to malicious websites. While the vulnerability itself doesn't directly expose sensitive data, it can be used in phishing attacks to redirect users to malicious sites that appear legitimate, potentially leading to credential theft or malware distribution. The attack vector is client-side and requires user interaction with a malicious URL.

Disclosure Policy

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.