Lucene search

Gjoko KrsticZSL-2014-5206

HistoryNov 18, 2014 - 12:00 a.m.

Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability

2014-11-1800:00:00

Gjoko Krstic

zeroscience.mk

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

AI Score

6.5

Confidence

High

EPSS

0.007

Percentile

80.8%

JSON

Title: Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability
Advisory ID: ZSL-2014-5206
Type: Local/Remote
Impact: Spoofing
Risk: (2/5)
Release Date: 18.11.2014

Summary

Snowfox is an open source Content Management System (CMS) that allows your website users to create and share content based on permission configurations.

Description

Input passed via the ‘rd’ GET parameter in ‘selectlanguage.class.php’ script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

--------------------------------------------------------------------------------

` /modules/system/controller/selectlanguage.class.php:

28: if ($results && isset($inputs[‘rd’])){
29: header("location: ".$inputs[‘rd’]);
30: }
31: return $results;
`
--------------------------------------------------------------------------------

Vendor

Globiz Solutions - <http://www.snowfoxcms.org>

Affected Version

1.0

Tested On

Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14

Vendor Status

[20.11.2014] Vendor releases version 1.0.10 to address this issue.

PoC

snowfox_url.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://cxsecurity.com/issue/WLB-2014110127>
[2] <http://packetstormsecurity.com/files/129162>
[3] <http://www.securityfocus.com/bid/71174>
[4] <http://xforce.iss.net/xforce/xfdb/98811>
[5] <https://github.com/GlobizSolutions/snowfox/releases>
[6] <http://osvdb.org/show/osvdb/114850>
[7] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9343>
[8] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9343>

Changelog

[18.11.2014] - Initial release
[19.11.2014] - Added reference [1], [2] and [3]
[20.11.2014] - Added vendor status and reference [4], [5] and [6]
[09.12.2014] - Added reference [7] and [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability


Vendor: Globiz Solutions
Product web page: http://www.snowfoxcms.org
Affected version: 1.0

Summary: Snowfox is an open source Content Management System (CMS)
that allows your website users to create and share content based
on permission configurations.

Desc: Input passed via the 'rd' GET parameter in 'selectlanguage.class.php'
script is not properly verified before being used to redirect users. This
can be exploited to redirect a user to an arbitrary website e.g. when a user
clicks a specially crafted link to the affected script hosted on a trusted
domain.

===========================================================================
\modules\system\controller\selectlanguage.class.php:
----------------------------------------------------

28: if ($results &amp;&amp; isset($inputs['rd'])){
29:      header("location: ".$inputs['rd']);
30: }
31: return $results;

===========================================================================

Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5206
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5206.php



12.11.2014

--


http://10.0.18.3/snowfox/?uri=user/select-language&amp;formAction=submit&amp;rd=http://www.zeroscience.mk&amp;languageId=us-en
</p></body></html>