GHSA-j5r2-4c8j-xc3m
Gitea: Open Redirect via redirect_to
Details
### Details
Despite the validation within `urlIsRelative` in `modules/httplib/url.go`, an open redirect is still possible due to usage of directory traversal sequences plus a back-slash in the "redirect_to" parameter.
### PoC
When a user uses this URL to login:
`https://gitea.com/user/login?redirect_to=/a/../\example.com`
They would be redirected to `example.com` upon a successful login to their gitea account.
### Impact
* Phishing: Attackers can use trusted domain links to redirect victims to credential-harvesting pages * OAuth/SSO Token Theft: In authentication flows, authorization codes or tokens may leak via redirect * Referer Leakage: Sensitive URL parameters may be exposed to attacker domains via the Referer header * Cache Poisoning: In deployments with shared caches, malicious redirects may be cached and served to other users
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 1.26.0 go get github.com/go-gitea/gitea@v1.26.0