Handy Address Book Server 3.4 URI redirection vulnerability

Published
Credit
Risk
2017.04.18
malwrforensics
Low
CWE
CVE
Local
Remote
N/A
N/A
No
Yes

# Exploit Title: Handy Address Book Server 3.4 URI redirection vulnerability
# Date: 2017/04/15
# Exploit Author: malwrforensics
# Vendor Homepage: https://www.handyaddressbook.com/
# Software Link: https://www.handyaddressbook.com/downloads/AHABS34.exe
# Version: 3.4.0
# Tested on: Windows 7 x86

The Handy Address Book Server v3.4.0 is vulnerable to a URI redirection vulnerability because the CALLURL parameter isn't properly sanitized.

Example:
http://server/?CMD=EDITOR&BOOK=testbook&NID=1&INPOPUP=0&CALLURL=http://new-site/alert.html

Once the users clicks save/cancel they will be redirected to the "new-site".


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com