JeecgBoot Open Redirect Vulnerability in OAuth2 Login Flow

A vulnerability allowing open redirects has been identified in JeecgBoot versions through 3.9.2. The issue arises in the Third-Party Login component, specifically within the HttpServletResponse.sendRedirect function of the ThirdLoginController. The vulnerability is rooted in the improper validation of the user-controlled state parameter in the OAuth2 login and callback endpoints, allowing attackers to redirect users to arbitrary URLs. This manipulation could lead to the leakage of sensitive information, such as JWT tokens, and potentially facilitate account takeover.

Impact

Exploitation of this vulnerability could result in unauthorized redirection of users, leading to potential phishing attacks or unauthorized access to user accounts through JWT token interception.

Reproduction

To reproduce this vulnerability, initiate the OAuth2 login process by sending a request to the login endpoint with a crafted state parameter that includes a URL of the attacker's choice. After the user is redirected to the OAuth2 provider and completes the authentication, the callback endpoint will redirect the user to the specified URL, appending the intercepted JWT token. This demonstrates the open redirect vulnerability and its potential impact on token leakage and account takeover.