OrangeForum 1.4.0 Open Redirection

Summary

Orange Forum is an easy to deploy forum that has minimal dependencies and uses very little javascript. It is written is golang and a compiled binary is available for linux.

The views/auth.go file in Orange Forum version 1.4.0 has an open redirection vulnerability. Attackers can exploit this vulnerability by sending 'next' parameters to /login or /signup to redirect users to any website.

Solution

The vendor has issued an update to fix the bug, which can be found at https://github.com/s-gv/orangeforum