Open edX Platform Open Redirect Vulnerability in Survey Views Allowing Phishing and Credential Theft

A server-side open redirect vulnerability has been identified in the Open edX Platform within the survey feature. The issue arises in the 'view_survey' endpoint, which accepts a 'redirect_url' GET parameter. This parameter is passed directly to 'HttpResponseRedirect()' without any validation. When a non-existent survey name is requested, the server immediately redirects to the attacker-controlled URL. Additionally, if a valid survey is requested, the same unvalidated URL is embedded in a hidden form field and returned in a JSON response after the form is submitted. Client-side JavaScript then uses this URL for redirection. This vulnerability enables phishing attacks and credential theft against authenticated Open edX users.

Impact

Exploitation of this vulnerability allows for phishing attacks targeting Open edX users, with the potential for credential theft. Stolen credentials could be used to access course content, grades, and personal information, and could potentially be escalated to administrative access.

Reproduction

To reproduce this vulnerability, first ensure that the Open edX instance has the survey app enabled and that the user is authenticated. Then, craft a URL that includes a non-existent survey name and a 'redirect_url' parameter pointing to an attacker-controlled URL. When the victim clicks the link, they will be redirected to the phishing site. Alternatively, if a valid survey name is used, the same redirect_url will be returned in a JSON response after the survey form is submitted, where it can be accessed via client-side JavaScript.

Remediation

Users can update to the patched version of Open edX Platform, where this vulnerability has been addressed by removing the 'redirect_url' parameter from the 'view_survey' endpoint and ensuring that the 'submit_answers' endpoint always redirects to the dashboard.