Snowfox CMS 1.0 Open Redirect

2014-11-19 / 2015-04-19
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-601


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

? Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability Vendor: Globiz Solutions Product web page: http://www.snowfoxcms.org Affected version: 1.0 Summary: Snowfox is an open source Content Management System (CMS) that allows your website users to create and share content based on permission configurations. Desc: Input passed via the 'rd' GET parameter in 'selectlanguage.class.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. =========================================================================== \modules\system\controller\selectlanguage.class.php: ---------------------------------------------------- 28: if ($results && isset($inputs['rd'])){ 29: header("location: ".$inputs['rd']); 30: } 31: return $results; =========================================================================== Tested on: Apache/2.4.7 (Win32) PHP/5.5.6 MySQL 5.6.14 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5206 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5206.php 12.11.2014 -- http://10.0.18.3/snowfox/?uri=user/select-language&formAction=submit&rd=http://www.zeroscience.mk&languageId=us-en

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5206.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top