DoorGets CMS 7.0 Open Redirect

2017.07.04
Credit: Rudra Sarkar
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2016-3726
CWE: CWE-601


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

# Title: Open Redirect DoorGets CMS # Version: 7.0 # vendor: https://github.com/doorgets/doorGets/ # Tested on: Windows 64-bit # Author: Rudra Sarkar (@rudr4_sarkar) # CVE: 2016-3726 1. Affected Param back= 2. Full URL http://127.0.0.1/dg-user/?controller=authentification&back=http%3A%2F%2Fexploitlab.ex%2F 3. Go to login page you will get this type of URL 4. Now time for Redirect 5. Change the back= parm URL http://exploitlab.ex/dg-user/?controller=authentification&back=http%3a%2f%2fevil.com%2f 6. Evil URL Like http://evil.com/ i encode the special charecter. 7. Now enter the URL in browser and press enter you will see login page. 8. Now Login using your email password 9. You will redirected to http://evil.com # Timeline 18-06-17: Reported to the vendor 28-06-17: No reply from vendor 01-07-17: Assigned CVE-2016-3726


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top