Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.
Impact
- Phishing: Redirect users to fake login pages to steal credentials
- Session Hijacking: Redirect to attacker site that captures session cookies via JavaScript
- Malware Distribution: Redirect to sites hosting malware or drive-by downloads
- Reputation Damage: Users lose trust when redirected to malicious sites from legitimate application
- Social Engineering: Use trusted Snipe-IT domain to increase phishing success rate
When the user clicks "Save", the application:
- Processes the form
- Checks
redirect_option (if set to 'back')
- Calls
Helper::getRedirectOption()
- Retrieves
back_url from session: https://evil.com/phishing?target=snipeit
- Executes
redirect()->to($backUrl)
- User is redirected to attacker's site
This would still require session poisoning, so the actual practical threat here is minimal.
Patches
Patched in grokability/snipe-it@e376492, released in 8.4.1.
Workarounds
None.
Resources
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- OWASP: Unvalidated Redirects and Forwards
- Laravel Security: Safe Redirects
snipeit_open_redirect_submission.md
References
CE2Sec Reporter
Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.
Impact
When the user clicks "Save", the application:
redirect_option(if set to 'back')Helper::getRedirectOption()back_urlfrom session:https://evil.com/phishing?target=snipeitredirect()->to($backUrl)This would still require session poisoning, so the actual practical threat here is minimal.
Patches
Patched in grokability/snipe-it@e376492, released in 8.4.1.
Workarounds
None.
Resources
snipeit_open_redirect_submission.md
References