Listen to this Post
The CVE works by exploiting an unvalidated HTTP Referer header that the application stores in a session variable. When a user submits a form with `redirect_option` set to ‘back’, the `Helper::getRedirectOption()` function retrieves the `back_url` directly from the session. This URL originates from the `Referer` header of the initial request, which an attacker can control via a crafted link or malicious site. The application does not validate or sanitize the Referer header before storing it in the session. Later, when the user clicks “Save” on any form that uses the ‘back’ redirect option, the code calls redirect()->to($backUrl). No internal domain whitelist or `->safe()` method is used, allowing redirection to any external domain. An attacker first needs to “poison” the session by tricking a user into visiting a Snipe-IT page with a malicious Referer. This could be done via a phishing email or a cross-site request forgery that sets the Referer. Once the session contains https://evil.com/phishing?target=snipeit`, any subsequent form submission with 'back' option triggers the redirect. The vulnerability requires a pre-condition (session poisoning), which lowers the practical risk but still enables targeted attacks. The attack chain: lure victim → set Referer → victim performs legitimate action (e.g., saving an asset) → redirect to evil.com. On the malicious site, attackers can host fake login pages, capture session cookies via JavaScript, or deliver malware. The issue affects all Snipe-IT versions prior to 8.4.1. The patch in commit `grokability/snipe-it@e376492` introduces validation of the redirect URL against a trusted host whitelist. Without the patch, any external URL is accepted, making it an open redirect.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: Snipe-IT
Version: Before 8.4.1
Vulnerability: Open redirect
Severity: Low
Date: Not disclosed
<h2 style="color: blue;">Prediction: Patched July 2024</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Analytics: The following bash commands analyze Referer-based open redirect risks in Snipe-IT instances.
Check vulnerable redirect logic in Snipe-IT before 8.4.1 grep -r "redirect()->to(\$backUrl)" /path/to/snipe-it/app/ Extract session storage of back_url from Referer grep -r "getRedirectOption" /path/to/snipe-it/app/Helpers/ Test live instance for open redirect (requires authenticated session) curl -i -X GET 'https://target-snipe.com/assetmodels?redirect_option=back' \ -H 'Referer: https://evil.com' \ --cookie "snipeit_session=YOUR_SESSION" Monitor for malicious Referer logs in Apache/Nginx sudo tail -f /var/log/nginx/access.log | grep -E '"Referer: https?://(evil|malicious)'
<h2 style="color: blue;">Exploit:</h2>
1. Attacker crafts a link to a Snipe-IT page (e.g.,/assets/create) with a malicious Referer set via a meta refresh or social engineering.redirect()->to(‘https://evil.com/phishing?target=snipeit’)
2. Victim clicks the link; the application stores `Referer` as `back_url` in their session.
3. Victim later uses any form with `redirect_option=back` (e.g., saving an asset) and clicks "Save".
4. Snipe-IT executes, sending victim to attacker's site./home`).
5. Attacker captures session cookies via JavaScript or presents a fake login page to steal credentials.
<h2 style="color: blue;">Protection from this CVE:</h2>
- Upgrade to Snipe-IT version 8.4.1 or later immediately.
- If upgrade not possible, manually patch by modifying `app/Helpers/Helper.php` and any redirect call to validate `$backUrl` against `url()->isValidUrl()` and a whitelist of trusted domains.
- Set `redirect_option` default to a safe internal page (e.g., `redirect()->back()` with fallback to
– Use Laravel’s `redirect()->to()->with(‘error’)` and avoid storing user-supplied Referer in session without strict validation.
– Deploy WAF rules to block suspicious Referer headers containing external domains.
Impact:
- Phishing: Credential theft using fake login pages.
- Session Hijacking: Malicious site can read session cookies via XSS or document.cookie if same-site policy is misconfigured.
- Malware Distribution: Drive-by downloads from attacker-controlled site.
- Reputation Damage: Trust erosion when users are redirected from legitimate Snipe-IT domain.
- Social Engineering: Increased success rate of attacks due to trusted origin appearance.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
