Catalyst User Key Authentication Plugin Open Redirect Vulnerability

An open redirect vulnerability has been identified in the Catalyst User Key Authentication Plugin version 20220819 for Moodle. The issue arises in the logout component, specifically within the file '/auth/userkey/logout.php'. The vulnerability allows for manipulation of the 'return' parameter, leading to unauthorized redirection of users to external websites. This exploitation can be executed remotely, and the vulnerability has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for open redirection, where users can be sent to arbitrary external websites, potentially leading to phishing or other malicious activities.

Reproduction

To reproduce this vulnerability, install the 'User Key Authentication' plugin in a Moodle test environment. Then, navigate to '/auth/userkey/logout.php' and append a 'return' parameter with a URL of choice. The redirection will occur without the need for user authentication.

Remediation

It is recommended to modify the logout function to restrict user control over the redirection destination after logout.