I’d like to report an open redirect issue found in the Pritunl VPN web interface. The vulnerability stems from improper validation of the HTTP Host header used in incoming requests. By manipulating the Host header value, an attacker can exploit server behavior that appends /login to the given host value. This results in redirection to a URL formatted as https://[Injected-Host]/login/. Thus, a user can be redirected to any external site that supports a path of /login/, potentially leading to successful redirection to malicious sites designed to mimic legitimate login portals. This type of vulnerability can be exploited to mislead users about the authenticity of a site, particularly when combined with phishing techniques to steal credentials or disseminate malware.
Steps to reproduce:
Open a web proxy tool such as Burp Suite and enable request interception.
Navigate to the vulnerable login page at https://x.x.x.x/ to capture the login request.
Modify the Host header in the intercepted request to an arbitrary domain (e.g., github.com).
Forward the modified request and observe the server’s response.
The response will indicate a 302 redirection, and the Location header or the HTML content will contain a redirection URL to https://[Injected-Host]/login. This confirms the server is improperly using the Host header value to construct the redirection target.
This can’t be avoided without breaking a significant number of configurations. There is little to no risk with this issue, if it is a concern configure a reverse proxy in front of the Pritunl web server.
