Saltcorn, Open Redirect, CVE-XXXX-XXXX (Medium)

Listen to this Post

The vulnerability arises from an inadequate validation function, is_relative_url(), which is intended to only allow same-origin redirects after a user logs in. This function checks for the substrings `”:/”` and `”//”` in a URL to block absolute paths and external schemes. However, it fails to account for the backslash character (\). According to WHATWG URL specifications, which all modern browsers follow, a backslash is normalized to a forward slash (/) for special schemes like http, https, ftp, ws, and wss.
An attacker can exploit this by crafting a payload such as /\evil.com/path. This string bypasses the `is_relative_url()` check because it contains neither `”:/”` nor "//". The server then passes this unmodified string to the `res.redirect()` function. Due to the browser’s normalization, a user is silently navigated from the trusted Saltcorn domain to the attacker-controlled domain evil.com. This bypass is possible because the `is_relative_url()` function only uses a literal string check and does not sanitize backslashes. The vulnerable code path exists in packages/server/auth/routes.js, where the `dest` parameter from the request body is decoded twice and then passed to res.redirect.
The following form summarizes the vulnerability using the specified structure:
Platform: Saltcorn
Version: Affected versions (e.g., < 1.0.0-beta.16)
Vulnerability : Open Redirect
Severity: Medium
date: Not specified

Prediction: Patch likely available in versions >= 1.0.0-beta.16

What Undercode Say:

To test for this vulnerability, you can use `curl` to simulate a login request with a malicious `dest` parameter. The following command demonstrates the basic principle:

Simulate a login POST request with a crafted dest parameter
curl -X POST http://victim-saltcorn.com/auth/login \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "[email protected]&password=password&dest=/\evil.com/path"

How Exploit:

An attacker would craft a malicious login URL pointing to the vulnerable Saltcorn instance, such as https://victim-saltcorn.com/auth/login?dest=/\evil.com`. They would then trick a victim into clicking this link. After the victim logs in with their valid credentials, the server will redirect them to the attacker-controlled domain (evil.com`), potentially to a phishing site designed to steal their credentials again.

Protection from this CVE

To protect against this vulnerability, the `is_relative_url()` function should be strengthened. Instead of a simple substring check, a robust solution involves parsing the URL and verifying that it does not contain a scheme or hostname. Additionally, the function should explicitly reject any URLs containing backslashes. An example of a more secure validation logic in Node.js is:

const isSafeRedirect = (url) => {
try {
const parsedUrl = new URL(url, 'http://dummy');
// Reject if the URL has a protocol or hostname (i.e., is absolute)
if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') return false;
if (parsedUrl.hostname !== 'dummy') return false;
return true;
} catch (e) {
return false;
}
};

Impact

If successfully exploited, an attacker can redirect a user from a trusted Saltcorn application to any malicious site of their choice. This can be leveraged for credential phishing, malware distribution, or other client-side attacks, severely undermining user trust and the security of the application.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top