DoorGets CMS 7.0 Open Redirect

2017.07.04

Credit: Rudra Sarkar

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2016-3726

CWE: CWE-601

Ogólna skala CVSS: 5.8/10

Znaczenie: 4.9/10

Łatwość wykorzystania: 8.6/10

Wymagany dostęp: Zdalny

Złożoność ataku: Średnia

Autoryzacja: Nie wymagana

Wpływ na poufność: Częściowy

Wpływ na integralność: Częściowy

Wpływ na dostępność: Brak

# Title: Open Redirect DoorGets CMS
# Version: 7.0
# vendor: https://github.com/doorgets/doorGets/
# Tested on: Windows 64-bit
# Author: Rudra Sarkar (@rudr4_sarkar)
# CVE: 2016-3726

1. Affected Param back=
2. Full URL
http://127.0.0.1/dg-user/?controller=authentification&back=http%3A%2F%2Fexploitlab.ex%2F
3. Go to login page you will get this type of URL
4. Now time for Redirect
5. Change the back= parm URL
http://exploitlab.ex/dg-user/?controller=authentification&back=http%3a%2f%2fevil.com%2f
6. Evil URL Like http://evil.com/ i encode the special charecter.
7. Now enter the URL in browser and press enter you will see login page.
8. Now Login using your email password
9. You will redirected to http://evil.com

# Timeline
18-06-17:  Reported to the vendor
28-06-17:  No reply from vendor
01-07-17:  Assigned CVE-2016-3726

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

DoorGets CMS 7.0 Open Redirect

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.