SilverStripe 2.4.7 Open URL Redirection

`1. OVERVIEW  
  
SilverStripe 2.4.7 and lower versions are vulnerable to Open URL Redirection.  
  
  
2. BACKGROUND  
  
SilverStripe CMS is easy for both developers and content authors to  
work with. The SilverStripe Framework keeps the code tucked away  
neatly so that it can be accessed easily by programmers but does not  
get in the way of content authors.  
  
  
3. VULNERABILITY DESCRIPTION  
  
SilverStripe CMS contains a flaw that allows a remote cross site  
redirection attack. This flaw exists because the application does not  
validate the "BackURL" parameter upon submission to the  
"/index.php/Security/login" script. This could allow a user to create  
a specially crafted URL, that if clicked, would redirect a victim from  
the intended legitimate web site to an arbitrary web site of the  
attacker's choosing.  
  
  
4. VERSIONS AFFECTED  
  
Tested on 2.4.7  
  
  
5. PROOF-OF-CONCEPT/EXPLOIT  
  
http://localhost/index.php/Security/login?BackURL=//yehg.net  
  
  
6. SOLUTION  
  
Upgrade to the latest 3.x version.  
  
  
7. VENDOR  
  
SilverStripe Development Team  
http://www.silverstripe.org/  
  
  
8. CREDIT  
  
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN  
Ethical Hacker Group, Myanmar.  
  
  
9. DISCLOSURE TIME-LINE  
  
2012-02-06: notified vendor  
2012-10-15: vulnerability disclosed  
  
  
10. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/%5BSilverStripe_2.4.7%5D_url_redirection  
  
#yehg [2012-10-15]  
  
---------------------------------  
Best regards,  
YGN Ethical Hacker Group  
Yangon, Myanmar  
http://yehg.net  
Our Lab | http://yehg.net/lab  
Our Directory | http://yehg.net/hwd  
`