Open redirect vulnerability on 2FA #1968

New Issue

Closed

opened 2025-11-02 04:19:39 -06:00 by GiteaMirror · 4 comments

GiteaMirror commented 2025-11-02 04:19:39 -06:00

Owner

Copy Link

Originally created by @glitch003 on GitHub (Jun 25, 2018).

• Gitea version (or commit ref): 1.4.1
• Git version: 2.17.1
• Operating system: Ubuntu 16
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist: N/A

Description

This bug was submitted via a Bug Bounty program my company has, and I'd love to hear your thoughts on it

During the login process when the victim has entered his/her password and is then redirected to the page where he/she is told to enter his 2FA Code at this point the attacker will send a crafted link "https://try.gitea.io/user/login?redirect_to=//google.com/"

This crafted link will send this to same page he/she was viewing before and he/she will think it is a legitimate page is being loaded from "try.gitea.io"

Now they will enter there 2FA code there and will then be redirected on google.com or any other web page the attacker wants.

More info about open redirect vulnerabilities and why they're a problem:

• http://cwe.mitre.org/data/definitions/601.html
• https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Reproduction

You must have 2FA enabled on your account.

1. Login at https://try.gitea.io/
2. You will be redirected to "https://try.gitea.io/user/two_factor"
3. Open this link "https://try.gitea.io/user/login?redirect_to=//google.com/"
4. Enter the 2FA Code
5. You will be redirected to google.com

Originally created by @glitch003 on GitHub (Jun 25, 2018). <!-- 1. Please speak English, this is the language all of us can speak and write. 2. Please ask questions or configuration/deploy problems on our Discord server (https://discord.gg/NsatcWJ) or forum (https://discourse.gitea.io). 3. Please take a moment to check that your issue doesn't already exist. 4. Please give all relevant information below for bug reports, because incomplete details will be handled as an invalid report. --> - Gitea version (or commit ref): 1.4.1 - Git version: 2.17.1 - Operating system: Ubuntu 16 - Database (use `[x]`): - [X] PostgreSQL - [ ] MySQL - [ ] MSSQL - [ ] SQLite - Can you reproduce the bug at https://try.gitea.io: - [X] Yes (provide example URL) - [ ] No - [ ] Not relevant - Log gist: N/A ## Description **This bug was submitted via a Bug Bounty program my company has, and I'd love to hear your thoughts on it** During the login process when the victim has entered his/her password and is then redirected to the page where he/she is told to enter his 2FA Code at this point the attacker will send a crafted link "https://try.gitea.io/user/login?redirect_to=//google.com/" This crafted link will send this to same page he/she was viewing before and he/she will think it is a legitimate page is being loaded from "try.gitea.io" Now they will enter there 2FA code there and will then be redirected on google.com or any other web page the attacker wants. More info about open redirect vulnerabilities and why they're a problem: * http://cwe.mitre.org/data/definitions/601.html * https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet ## Reproduction You must have 2FA enabled on your account. 1. Login at https://try.gitea.io/ 2. You will be redirected to "https://try.gitea.io/user/two_factor" 3. Open this link "https://try.gitea.io/user/login?redirect_to=//google.com/" 4. Enter the 2FA Code 5. You will be redirected to google.com

GiteaMirror added the topic/security label 2025-11-02 04:19:39 -06:00

GiteaMirror closed this issue 2025-11-02 04:19:39 -06:00

GiteaMirror commented 2025-11-02 04:19:40 -06:00

Author

Owner

Copy Link

@jonasfranz commented on GitHub (Jun 25, 2018):

Normal login without 2FA is also affected if //example.com is used.

@jonasfranz commented on GitHub (Jun 25, 2018): Normal login without 2FA is also affected if ``//example.com`` is used.

GiteaMirror commented 2025-11-02 04:19:40 -06:00

Author

Owner

Copy Link

@glitch003 commented on GitHub (Jun 26, 2018):

Wow that was fast, thanks all!

@glitch003 commented on GitHub (Jun 26, 2018): Wow that was fast, thanks all!

GiteaMirror commented 2025-11-02 04:19:40 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (Jun 27, 2018):

Thanks @cezar97

@lunny commented on GitHub (Jun 27, 2018): Thanks @cezar97

GiteaMirror commented 2025-11-02 04:19:40 -06:00

Author

Owner

Copy Link

@sapk commented on GitHub (Jun 28, 2018):

The check introduce in #4312 should be introduce globaly in 7b2b900e13/modules/context/context.go (L80)
Or display a webpage in between the redirect that show the user he is leaving.

@sapk commented on GitHub (Jun 28, 2018): The check introduce in #4312 should be introduce globaly in https://github.com/go-gitea/gitea/blob/7b2b900e13612f565051c64374b788b0c8a82751/modules/context/context.go#L80 Or display a webpage in between the redirect that show the user he is leaving.

GiteaMirror referenced this issue 2025-11-02 12:03:23 -06:00

[PR #1968] [MERGED] fix collborators lack of units on orgnization repositories #16148

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label topic/security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#1968