Listen to this Post
The vulnerability arises from improper validation of the `X-Forwarded-Host` and `X-Forwarded-Proto` HTTP headers within the OIDC redirect handling logic. The `correctOIDCUrl` function uses these client-supplied headers to reconstruct the base URL for the final redirect. When a reverse proxy passes these headers to the Lobe-Chat backend without sanitization, an attacker can manipulate them. By setting `X-Forwarded-Host` to a domain they control and `X-Forwarded-Proto` to https, the attacker can force the application to generate a redirect URL pointing to their malicious site. This occurs because the application trusts these headers to correctly identify the original request’s protocol and host, allowing for an open redirect that can be used in phishing attacks.
Platform: Lobe-Chat
Version: Pre-1.6.0
Vulnerability : Open Redirect
Severity: Medium
date: 2024-12-18
Prediction: Patch expected by 2024-12-22
What Undercode Say:
curl -i 'http://localhost:3210/oidc/callback/desktop?code=abc&state=test123' \ -H 'X-Forwarded-Host: evil.com' \ -H 'X-Forwarded-Proto: https'
// Vulnerable code path: correctOIDCUrl function uses untrusted headers. finalRedirectUrl = correctOIDCUrl(request, new URL(internalRedirectUrlString));
How Exploit:
Attacker sends crafted request with malicious X-Forwarded- headers to OIDC endpoint, tricking server into generating redirect to attacker-controlled domain.
Protection from this CVE:
Validate and sanitize X-Forwarded- headers at reverse proxy. Use allowlists for trusted hosts. Implement strict URL validation before redirects.
Impact:
Phishing attacks, credential harvesting, user experience disruption, potential for social engineering.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
