Saltcorn Open Redirect Vulnerability in Authentication Login Process

An open redirect vulnerability has been identified in Saltcorn, a no-code database application builder, affecting versions prior to 1.4.6, 1.5.6, and 1.6.0-beta.5. The issue arises because Saltcorn's validation of the post-login 'dest' parameter only blocks certain characters, allowing backslashes to bypass the check. This exploitation takes advantage of how modern browsers interpret backslashes in URLs, enabling redirection to an attacker-controlled domain. The vulnerability can be exploited on a default installation by tricking a user into logging in through a manipulated Saltcorn URL.

Impact

Exploitation of this vulnerability redirects users to an attacker-controlled site under the guise of a trusted Saltcorn domain, potentially leading to credential theft through phishing tactics.

Reproduction

To reproduce this vulnerability, send a crafted URL that includes a backslash in the 'dest' parameter to a Saltcorn user. Once the user logs in, they will be redirected to the specified attacker-controlled domain, bypassing the application's intended URL validation.

Remediation

Users can update to Saltcorn versions 1.4.6, 1.5.6, or 1.6.0-beta.5 to address this vulnerability.