Listen to this Post
The vulnerability is an open redirect in NocoDB’s authentication flow. It stems from inadequate validation of the user-controlled `continueAfterSignIn` query parameter. A helper function, isFullUrl, uses a permissive regular expression (/^(https?:)?\/\//) to check if the parameter is a full URL. This regex matches any string starting with `http://`, `https://`, or //, treating protocol-relative URLs as valid.
When a user authenticates via a crafted login link containing this parameter, the application logic passes the validated (but not restricted) URL to the `navigateTo` function. Since there is no allowlist or origin check for the destination, the function performs an unconditional client-side navigation to the attacker-supplied external site immediately after successful login. This allows the redirection of an authenticated user to any arbitrary, potentially malicious, domain.
Platform: NocoDB
Version: Pre-v0.106.7
Vulnerability: Open Redirect
Severity: Medium
date: 2023
Prediction: 2023-10-18
What Undercode Say:
`curl -I “https://target//signin?continueAfterSignIn=//evil.com”`
`/^(https?:)?\/\//`
`if(isFullUrl(redirect)) navigateTo(redirect, { external: true });`
How Exploit:
`https://victim-nocodb.example//signin?continueAfterSignIn=https://phish.com`
Protection from this CVE
Validate redirect URLs against a strict allowlist of permitted domains or paths. Implement server-side validation of the `continueAfterSignIn` parameter. Use relative URLs or signed tokens for redirect targets.
Impact:
Credential theft phishing.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

