Summary
An attacker can use the next
parameter on the login page to redirect a victim to a malicious page, while masking this using a legit-looking app.khoj.dev
url.
For example, https://app.khoj.dev/login?next=//example.com
will redirect to the https://example.com page.
Details
The problem seems to be in this method: https://github.com/khoj-ai/khoj/blob/2667ef45449eb408ce1d7c393be04845be31e15f/src/khoj/routers/auth.py#L95
PoC
Open the https://app.khoj.dev/login?next=//example.com
url in a Gecko-based browser (Firefox).
Impact
The impact is low, and this could only be used in phishing attempts, but it's still a problem nonetheless.
References
Summary
An attacker can use the
next
parameter on the login page to redirect a victim to a malicious page, while masking this using a legit-lookingapp.khoj.dev
url.For example,
https://app.khoj.dev/login?next=//example.com
will redirect to the https://example.com page.Details
The problem seems to be in this method: https://github.com/khoj-ai/khoj/blob/2667ef45449eb408ce1d7c393be04845be31e15f/src/khoj/routers/auth.py#L95
PoC
Open the
https://app.khoj.dev/login?next=//example.com
url in a Gecko-based browser (Firefox).Impact
The impact is low, and this could only be used in phishing attempts, but it's still a problem nonetheless.
References