Summary
An attacker can use the next parameter on the login page to redirect a victim to a malicious page, while masking this using a legit-looking app.khoj.dev url.
For example, https://app.khoj.dev/login?next=//example.com will redirect to the https://example.com page.
Details
The problem seems to be in this method:
|
async def auth(request: Request): |
PoC
Open the https://app.khoj.dev/login?next=//example.com url in a Gecko-based browser (Firefox).
Impact
The impact is low, and this could only be used in phishing attempts, but it's still a problem nonetheless.
davidxbors Reporter
Summary
An attacker can use the
nextparameter on the login page to redirect a victim to a malicious page, while masking this using a legit-lookingapp.khoj.devurl.For example,
https://app.khoj.dev/login?next=//example.comwill redirect to the https://example.com page.Details
The problem seems to be in this method:
khoj/src/khoj/routers/auth.py
Line 95 in 2667ef4
PoC
Open the
https://app.khoj.dev/login?next=//example.comurl in a Gecko-based browser (Firefox).Impact
The impact is low, and this could only be used in phishing attempts, but it's still a problem nonetheless.