Skip to content

Open Redirect via Referer #210

New issue
New issue
Closed
Closed
Open Redirect via Referer#210
@NinjaGPT

Description

@NinjaGPT
NinjaGPT
opened on Jul 23, 2025

Summary

In the latest version (v6.0.0) of PyBBS, the endpoint /changeLanguage used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

vulnerable code

  • src/main/java/co/yiiu/pybbs/controller/front/IndexController.java
@GetMapping("changeLanguage") public String changeLanguage(String lang, HttpSession session, HttpServletRequest request) { String referer = request.getHeader("referer"); if ("zh".equals(lang)) { session.setAttribute(SessionLocaleResolver.LOCALE_SESSION_ATTRIBUTE_NAME, Locale.SIMPLIFIED_CHINESE); } else if ("en".equals(lang)) { session.setAttribute(SessionLocaleResolver.LOCALE_SESSION_ATTRIBUTE_NAME, Locale.US); } return StringUtils.isEmpty(referer) ? redirect("/") : redirect(referer); }

POC

GET /changeLanguage HTTP/1.1 Host: localhost:8888 Referer: http://attacker.com/
Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions