Protect your Flarum Forum: Logout Redirect Vulnerability Explained

CVSScvssV3_1: 7.5

Flarum is an open source forum software used by many websites to build online communities. A recent vulnerability was discovered that could allow malicious actors to redirect users after logging out of their Flarum forum accounts.

The issue lies in Flarum’s logout route, which previously allowed any website to specify a redirect URL. This meant that by logging out, users could be sent to unwanted websites without their knowledge or consent. Attackers could exploit trusted Flarum domains to mislead users after signing out.

Thankfully, developers have addressed the problem in Flarum version 1.8.5. However, older versions may still be at risk. The vulnerability enabled what’s known as a “logout redirect attack”, where spam or phishing sites are the destination. This poses problems for user privacy and risks exposing personal data.

If you manage a Flarum forum, updating to the latest version is recommended. Admins should also review any extensions modifying the logout behavior. For individual users, practice caution when logging out of forums. Be wary of unexpected redirects and only interact with sites you trust. Staying on top of software updates helps shield against vulnerabilities like this in the future.

By taking some basic precautions, Flarum users and communities can help protect themselves from potential logout redirect exploits and browse forums safely. Keeping apps and extensions up-to-date is one of the best ways to help secure online discussions.