Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Babel 0.4.1 Open Redirection

🗓️ 05 Mar 2019 00:00:00Reported by Jan KoprivaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 39 Views

Babel 0.4.1 Open Redirection vulnerability in CMS Made Simpl

Code
`Affected Software: Babel: Multilingual Site module for CMS Made Simple  
Affected Version: 0.4.1 and earlier  
Patched Version: None - project is no longer under development  
CVE Identifier: TBD  
Vulnerability type: CWE-601: URL Redirection to Untrusted Site ('Open   
Redirect')  
Severity Rating: CVSS v3 Base Score: 6.1   
(AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)  
Security Researcher: Jan Kopriva @ Alef Nula  
  
Summary:  
The Babel multi-language module for CMSMS contains an open redirection   
vulnerability in a script within the redirect.php file. The script takes   
an argument specifying a URL to which a browser should be redirected.   
This URL may be completely arbitrary. It is therefore possible to craft   
a link to a Babel-enabled site which causes redirection to any URL   
specified, even outside the originating domain. This is especially   
useful for phishing attacks, when attacker creates a link to a safe   
site, which, without the knowledge of a user, redirects him or her to a   
fake/malicious site. All CMSMS sites with Babel module installed are   
affected, since redirect.php is always publically accessible.  
  
Detailed description:  
The Babel module (http://dev.cmsmadesimple.org/projects/babel) provides   
CMSMS sites with the capacity to easily switch between multiple   
translations of web page content. Desired translation may be chosen by   
sending a GET request to vulnerable.site/modules/babel/redirect.php.   
Under normal conditions, this PHP script takes two arguments - "newlang"   
and "newurl". The first argument sets the desired language for the   
translation and the second one sets URL which should be displayed in   
selected language.  
A non-working example of what the URL might look like is   
https://www.vulnerable.site/modules/babel/redirect.php?newlang=en_US&newurl=https://www.vulnerable.site/about.  
The vulnerability is caused by the absence of any filtering when the   
parameter "newurl" is processed (the parametr "newlang" is - for our   
purposes - optional and may be omitted).  
Further information regarding the vulnerability may be found at:  
https://www.untrustednetwork.net/en/2019/02/20/open-redirection-vulnerability-in-babel/  
https://www.untrustednetwork.net/en/2019/03/02/how-big-of-a-problem-is-the-open-redirect-in-babel/  
  
Proof of Concept:  
https://www.vulnerable.site/modules/babel/redirect.php?newurl=https://www.malicious.site/.  
  
Recommendation:  
Removal of the Babel module from any affected site.  
  
Disclosure timeline:  
Developer Contacted: 2. 2. 2019  
Developer Responded: 11. 2. 2019 (project abandoned, no new versions are   
to be expected)  
Disclosure to CSIRT network: 14. 2. 2019  
Public Disclosure: 23. 2. 2019  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Mar 2019 00:00Current
7.4High risk
Vulners AI Score7.4
babel moduleopen redirectioncmsmsurl redirectionvulnerabilitysecurity researcherphishingfilteringremovaldisclosure timeline
39