Arno0x TwoFactorAuth login.php redirect
Description
A vulnerability classified as problematic has been found in Arno0x TwoFactorAuth. This affects an unknown part of the file login/login.php. The manipulation of the argument from leads to open redirect. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 8549ad3cf197095f783643e41333586d6a4d0e54. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-223803.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An open redirect vulnerability in Arno0x TwoFactorAuth's login page allows remote attackers to redirect users to arbitrary external URLs, enabling phishing attacks.
Vulnerability
An open redirect vulnerability exists in the login/login.php file of Arno0x TwoFactorAuth. The from parameter, used to specify a redirect URL after successful authentication, is not validated. This allows an attacker to supply an arbitrary external URL. The product does not use versioning, so all versions prior to the patch are affected. The issue was reported in a pull request [1] and fixed in commit 8549ad3cf197095f783643e41333586d6a4d0e54 [2].
Exploitation
An attacker can craft a malicious link that includes a from parameter pointing to an external site under the attacker's control. When a victim clicks the link and authenticates successfully, they are redirected to the attacker's site. The attacker can then present a fake authentication failure page, tricking the victim into re-entering their username, password, and two-factor token, which are captured by the attacker [1]. The attack can be initiated remotely without any prior authentication.
Impact
Successful exploitation allows an attacker to perform phishing attacks, leading to the theft of user credentials (username, password, and two-factor authentication token). With these credentials, the attacker can gain unauthorized access to the victim's account on the legitimate TwoFactorAuth-protected site. The impact is a compromise of confidentiality and integrity, as the attacker can impersonate the victim.
Mitigation
The fix is implemented in commit 8549ad3cf197095f783643e41333586d6a4d0e54 [2]. The patch sanitizes the from parameter by stripping the scheme and host, allowing only relative paths. Users should apply this patch to their installation. No workarounds are documented in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: n/a
Patches
28549ad3cf197cross-site ?from can be used for phishing
1 file changed · +6 −2
login/login.php+6 −2 modified@@ -84,8 +84,12 @@ //-------------------------------------------------- // Checking which URL we should redirect the user to - if (isset($_POST["from"])) { - $from = urldecode($_POST["from"]); + if (isset($_GET['from'])) { + $from = $_GET['from']; + if (preg_match('#^(?:https?:)?//#', $_GET['from'], $m)) { + $url = parse_url($_GET['from']); + $from = $url['path'] . (!empty($url['query']) ? '?' . $url['query'] : '') . (!empty($url['fragment']) ? '#' . $url['fragment'] : ''); + } $redirectTo = ((isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] === "on")? "https://" : "http://").$_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$from; } else {
227ed6aad38aVulnerability mechanics
Root cause
"Missing validation of the 'from' redirect parameter allows an attacker to redirect users to an arbitrary external URL after login."
Attack vector
An attacker crafts a link to the login page with a malicious `from` parameter pointing to an external site. When the user completes authentication, the application redirects them to the attacker-controlled URL. Because the redirect is performed after a login attempt, the attacker can present a fake "auth failed" page that tricks the victim into re-entering their credentials, thereby stealing their username, password, and current two-factor token [patch_id=2247393]. The attack is performed remotely with no special privileges required.
Affected code
The vulnerability resides in `login/login.php` [patch_id=2247393]. The code reads the `from` parameter from user input and uses it to construct a redirect URL without validating that the destination is within the same origin.
What the fix does
The patch [patch_id=2247393] adds a check using `preg_match` to detect whether the `from` value contains a protocol prefix (e.g., `https://`). If it does, the code parses the URL with `parse_url()` and extracts only the path, query, and fragment — stripping the scheme and host. This ensures the redirect stays within the same origin, closing the open redirect. A follow-up commit [patch_id=2247395] further refines the fix.
Preconditions
- networkThe application must be publicly accessible over HTTP or HTTPS.
- inputThe attacker must craft a URL with a malicious 'from' parameter pointing to an external site.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/Arno0x/TwoFactorAuth/commit/8549ad3cf197095f783643e41333586d6a4d0e54mitrepatch
- github.com/Arno0x/TwoFactorAuth/pull/3mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.