When fastify-static is mounted at root and the register option redirect: true
, the following 2 lines cause open redirect bug: https://github.com/fastify/fastify-static/blob/master/index.js#L156-L157. A remote attackers can redirect users to arbitrary web sites via a double forward slash: //
, for example if attacker wants to redirect to google.com: http://<domain_name>//google.com/%2e%2e
.
This bug is similar to CVE-2015-1164 in ExpressJS, they published on their page about the security bugs here (you can Ctrl+F and search for CVE-2015-1164): https://expressjs.com/en/advanced/security-updates.html
bash run.sh
http://localhost:3000//google.com/%2e%2e
. You will see that you are redirected to https://www.google.com/Request:
GET //google.com/%2e%2e HTTP/1.1
Host: localhost:3000
Accept-Encoding: gzip, deflate
Connection: close
Response:
HTTP/1.1 301 Moved Permanently
location: //google.com/%2e%2e/
content-length: 0
Date: Wed, 29 Sep 2021 03:34:22 GMT
Connection: close
I tested and it only works in Firefox but not in Chrome, Edge, Opera, Safari 😂, it is because different browsers handle the response differently.
The most straight-forward impact is phishing.
However, open redirect is a gadget that enables attackers to be able to exploit further, for example: