Gogs, Open Redirect, CVE-2018-15178 (Medium) -DC-Jun2026-576

By /

Listen to this Post

How CVE-2018-15178 Works

This open redirect vulnerability exists in Gogs versions prior to 0.12 and stems from improper validation of the `redirect_to` query parameter. The flaw resides in the `isValidRedirect` function (also referred to as `IsSameSite` in some contexts) located in routes/user/auth.go. The function is responsible for ensuring that any redirect URL points to the same site, preventing attackers from sending users to external malicious domains. However, the validation logic is critically flawed: it only inspects the first two characters of the URL string.
Specifically, the function checks if the URL starts with a slash (/) and ensures the second character is neither a slash nor a backslash. An attacker can easily bypass this check by supplying a crafted `redirect_to` parameter such as /a/../\example.com. The `isValidRedirect` function sees the initial `/a/` and considers the URL valid because the first character is a slash and the second is not a slash or backslash. However, web browsers normalize backslashes (\) to forward slashes (/) during URL processing. When the browser encounters the sequence /\example.com, it normalizes it to //example.com, which is interpreted as a protocol-relative URL pointing to an external domain. This results in a cross-origin redirect, effectively allowing an attacker to redirect a user to any website of their choice.
This vulnerability affects all Gogs endpoints that use the `redirect_to` query parameter, including the login page and other post-action flows. The attack vector is straightforward: an attacker crafts a malicious link containing the vulnerable `redirect_to` parameter and tricks a user into clicking it. When the user logs in or completes an action, they are seamlessly redirected to the attacker’s site. The impact is amplified because the redirect occurs within the context of a trusted Gogs domain, making phishing attacks more convincing and increasing the likelihood of successful credential harvesting or token theft.

DailyCVE Form:

Platform: Gogs
Version: < 0.12
Vulnerability: Open Redirect
Severity: Medium (CVSS 6.1)
Date: 2018-08-07

Prediction: 2018-08-22 (Patched)

What Undercode Say: Analytics

  • Vulnerable Function: `isValidRedirect` in gogs/routes/user/auth.go.
  • Root Cause: Only first two characters of URL are validated.
  • Bypass Technique: Directory traversal + backslash (e.g., /a/../\example.com).
  • Browser Behavior: Backslash normalized to forward slash, creating //example.com.
  • Affected Endpoints: All using `redirect_to` parameter (login, post-action flows).
  • Attack Vector: Crafted link with malicious `redirect_to` parameter.
  • User Interaction: Required (victim must click the link and log in).
  • Patch Version: Gogs 0.12.
  • Fix Commit: 1f247cf8139cb483276cd8dd06385a800ce9d4b2.
  • Discoverer: bluecatli (Tencent’s Xuanwu Lab).

How to Exploit

  1. Craft the Malicious Link: An attacker creates a link to a vulnerable Gogs instance with a specially crafted `redirect_to` parameter. 
    http://<gogs-domain>/user/login?redirect_to=/a/../\example.com

    Replace `` with the target Gogs server address and `example.com` with the attacker’s domain.

  2. Deliver the Link: The attacker sends this link to a victim via email, social media, or any other channel.
  3. Victim Interaction: The victim clicks the link, which takes them to the Gogs login page.
  4. Successful Login: The victim enters their credentials and logs in.
  5. Redirection: Upon successful authentication, Gogs processes the `redirect_to` parameter. The `isValidRedirect` function incorrectly validates `/a/../\example.com` as safe. The browser then normalizes the URL, and the victim is redirected to `//example.com` – the attacker’s external site.

Protection

  • Upgrade Gogs: The most effective protection is to upgrade to Gogs version 0.12 or later, which contains the fix for this vulnerability.
  • Implement Proper Validation: If using a custom or forked version, ensure the redirect validation logic comprehensively parses and validates the entire URL, not just the first two characters. Use a robust URL parsing library and enforce that the redirect target is on the same host.
  • Use a Whitelist: Implement a whitelist of allowed redirect domains and paths, rejecting any URL that does not match the whitelist.
  • Educate Users: Train users to recognize and avoid clicking on suspicious links, even if they appear to come from a trusted domain.

Impact

  • Phishing: Attackers can use the trusted Gogs domain to display convincing phishing pages, tricking users into entering sensitive credentials.
  • OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may be leaked to the attacker’s domain via the redirect.
  • Referer Leakage: Sensitive URL parameters, including session identifiers or tokens, may be exposed to attacker-controlled domains through the HTTP Referer header.
  • Cache Poisoning: In shared caching environments, malicious redirects could potentially be cached and served to other users, amplifying the attack’s reach.
  • Reputation Damage: Successful exploitation can erode user trust in the Gogs platform and the organization hosting it.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top