An open redirect vulnerability in Hubzilla 7.0.3 and earlier allows remote attackers to redirect a logged in user to an arbitrary URL via the
rpath parameter.
CVE: CVE-2022-27256Severity: 4.7 (Medium)
CVSSv3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Vulnerable application: Hubzilla
Component: Settings modules
Vulnerable version: Any version before 7.2
Fixed in: version 7.2
When submitting a change in one of the affected settings modules, the
rpath query parameter is is passed on as a POST parameter and used blindly to redirect after submitting the form, leading to an open redirect vulnerability.
An attacker can use this to trick a victim to give them sensitive information by first directing them to change a setting and then redirect to an attacker controlled site after the victim submits the changes. For example by making malicious site look like the Hubzilla login form and convincing the victim they need to authenticate to save the changes.
Proof of concept
https://example.com/settings/calendar/?f=&rpath=https://evilsite.org/auth.php
Remediation
Upgrade to Hubzilla version 7.2 or later, where this vulnerability is fixed.
Credits
This issue was
originally reported and fixed by Harald Eilertsen.
