Bypass previous fix in sissbruecker/linkding

Valid

Reported on

Mar 26th 2022


Description

Bypass previous report fix

Proof of Concept

it checks if return_url starts with / . So, it can be bypasssed using //google.com .

1. Login in the demo instance https://demo.linkding.link/
2. Go to https://demo.linkding.link/bookmarks/3/remove?return_url=//google.com
3. You will be redirected to google.com

Impact

open redirect check bypass

We are processing your report and will contact the sissbruecker/linkding team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the sissbruecker/linkding team and are waiting to hear back 2 years ago
Sascha
2 years ago

Maintainer


@admin This seems to be a duplicate of https://huntr.dev/bounties/a5efbedb-fc31-4386-b894-439bfd9ec62c/

ranjit-git
2 years ago

Researcher


@maintainer No, his report will be duplicate of mine . You should validate my report first because my report submitted 26th march and his report at 27th march

ranjit-git
2 years ago

Researcher


just check the report time . His report submitted 1 day after me . So, my report will be original and https://huntr.dev/bounties/a5efbedb-fc31-4386-b894-439bfd9ec62c/ will be duplicate

ranjit-git modified the report
2 years ago
Sascha
2 years ago

Maintainer


Sorry, I saw the other one first, and the issue has been fixed. For now I'll leave the status as is, feel free to take it up with whomever can make the decision with what's a duplicate or not.

ranjit-git
2 years ago

Researcher


yes. @admin can you plz check this report time . My report should be original report here

Jamie Slome
2 years ago

Hello @ranjit-git - would you be happy to split the bounties 50/50 between this report and the other, and we can mark both reports as valid? Seeing as yours was first, but the other one was validated first, we think this is the fairest way forward here.

Let me know your thoughts.

ranjit-git
2 years ago

Researcher


Ok @admin

We have sent a follow up to the sissbruecker/linkding team. We will try again in 4 days. 2 years ago
Jamie Slome
2 years ago

@maintainer - feel free to move forward with this report - marking it as valid, confirming the severity of the report and confirming the patch.

We will treat this as the first instance of the vulnerability report, and the other report as a duplicate.

The other researcher has said that they are happy to forgo the bounty, as well.

We have sent a second follow up to the sissbruecker/linkding team. We will try again in 7 days. 2 years ago
ranjit-git
2 years ago

Researcher


@admin @maintainer can you plz validate this report ?

Jamie Slome
2 years ago

If we don't hear back from the maintainer post the final follow-up, I will go ahead 👍

We have sent a third follow up to the sissbruecker/linkding team. We will try again in 14 days. 2 years ago
ranjit-git
2 years ago

Researcher


@admin can you plz validate this report

Jamie Slome
2 years ago

Sure, do we have the commit SHA that addressed this issue?

ranjit-git
2 years ago

Researcher


@admin https://github.com/sissbruecker/linkding/commit/3906d9e5b86c56e26e9b4cc0f1e4f2e8fcc44744

Jamie Slome validated this vulnerability 2 years ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jamie Slome marked this as fixed in v1.8.8 with commit 3906d9 2 years ago
The fix bounty has been dropped
models.py#L82-L115 has been validated
bookmarks.py#L2-L198 has been validated
utils.py#L90-L104 has been validated
to join this conversation