Security Vulnerability Report: Open Redirect in "next" parameter

[Cainor]

Dear Team,

Thank you for your contribution to the open source community

Summary:
I was able to find an Open Redirect vulnerability providing different domain in the "next" parameter that is used in the login process.

Open Redirect Description and Impact:
An Open Redirect issue occurs when a web application redirects users to external URLs without proper validation. This can lead to phishing attacks, where users are tricked into visiting malicious sites, potentially leading to information theft and reputational damage to the website used for redirection.

Vulnerable Code:

NewsBlur/apps/reader/views.py

Lines 203 to 205 in 1f74f1a

	next_url = request.POST.get('next', '')
	if next_url:
	return HttpResponseRedirect(next_url)

Here if the "next" parameter was any of the following:

• ?next=https://www.google.com
• ?next=//google.com

Recommended Solution:
To remediate this use: url_has_allowed_host_and_scheme method provided by django.utils.http
The code should look like this:

from django.utils.http import url_has_allowed_host_and_scheme
...
 next_url = request.POST.get('next', '') 
 if next_url and url_has_allowed_host_and_scheme(next_url, settings.ALLOWED_HOSTS): 
     return HttpResponseRedirect(next_url) 

Thank you for your attention to this matter. I look forward to your response and am ready to assist in any way necessary to resolve this issue.

Regards,
Cainor