AcyMailing < 7.5.0 - Open Redirect

When subscribing using AcyMailing, the “redirect” parameter isn’t properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.

PoC

When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully go through with the subscription. Any redirection configuration(s) will not be applied, i.e. the landing page can be changed at will. The email though must be unique for each try. http://example.com/index.php?page=acymailing_front&amp;ctrl;=frontusers&amp;noheader;=1&amp;user;[email][email protected]&amp;ctrl;=frontusers&amp;task;=subscribe&amp;option;=acymailing&amp;redirect;=https://example.com&amp;ajax;=0&amp;acy;_source=widget 2&amp;hiddenlists;=1&amp;acyformname;=formAcym93841&amp;acysubmode;=widget_acym Will redirect to example.com. You can change the redirect value to any webpage.