Movary Unvalidated HTTP Referer Header Open Redirect Vulnerability

A vulnerability in Movary, a web application for tracking and rating movies, allows for open redirects via unvalidated HTTP Referer headers. This issue is present in versions through 0.68.0. The lack of validation enables attackers to craft links that redirect users to malicious sites, facilitating phishing attacks. The vulnerability affects multiple settings endpoints by using the Referer header for redirects without proper validation.

Impact

Exploitation of this vulnerability could lead to open redirects, allowing for phishing attacks. Additionally, according to the vulnerability report, this could be exploited as a Server-Side Request Forgery (SSRF) attack, potentially probing internal networks or accessing cloud metadata endpoints on services like AWS, GCP, or Azure.

Reproduction

To reproduce this vulnerability, send a request to one of the affected endpoints, such as '/settings/account/delete-history', with a crafted Referer header that points to an external site. The application will redirect back to the Referer URL, effectively creating an open redirect.

Remediation

The vulnerability has been fixed in version 0.69.0 by adding a middleware that validates the HTTP Referer against the HTTP Host for all relevant routes. If the Referer host does not match the Movary host, an error is returned and a warning is logged. Additionally, the user data deletion endpoints were refactored to use the DELETE HTTP method instead of GET.