CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
AI Score
Confidence
High
EPSS
Percentile
80.8%
Title: Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability
Advisory ID: ZSL-2014-5206
Type: Local/Remote
Impact: Spoofing
Risk: (2/5)
Release Date: 18.11.2014
Snowfox is an open source Content Management System (CMS) that allows your website users to create and share content based on permission configurations.
Input passed via the ‘rd’ GET parameter in ‘selectlanguage.class.php’ script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
--------------------------------------------------------------------------------
28: if ($results && isset($inputs[‘rd’])){
29: header("location: ".$inputs[‘rd’]);
30: }
31: return $results;
`
--------------------------------------------------------------------------------
Globiz Solutions - <http://www.snowfoxcms.org>
1.0
Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
[20.11.2014] Vendor releases version 1.0.10 to address this issue.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <http://cxsecurity.com/issue/WLB-2014110127>
[2] <http://packetstormsecurity.com/files/129162>
[3] <http://www.securityfocus.com/bid/71174>
[4] <http://xforce.iss.net/xforce/xfdb/98811>
[5] <https://github.com/GlobizSolutions/snowfox/releases>
[6] <http://osvdb.org/show/osvdb/114850>
[7] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9343>
[8] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9343>
[18.11.2014] - Initial release
[19.11.2014] - Added reference [1], [2] and [3]
[20.11.2014] - Added vendor status and reference [4], [5] and [6]
[09.12.2014] - Added reference [7] and [8]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability
Vendor: Globiz Solutions
Product web page: http://www.snowfoxcms.org
Affected version: 1.0
Summary: Snowfox is an open source Content Management System (CMS)
that allows your website users to create and share content based
on permission configurations.
Desc: Input passed via the 'rd' GET parameter in 'selectlanguage.class.php'
script is not properly verified before being used to redirect users. This
can be exploited to redirect a user to an arbitrary website e.g. when a user
clicks a specially crafted link to the affected script hosted on a trusted
domain.
===========================================================================
\modules\system\controller\selectlanguage.class.php:
----------------------------------------------------
28: if ($results && isset($inputs['rd'])){
29: header("location: ".$inputs['rd']);
30: }
31: return $results;
===========================================================================
Tested on: Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2014-5206
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5206.php
12.11.2014
--
http://10.0.18.3/snowfox/?uri=user/select-language&formAction=submit&rd=http://www.zeroscience.mk&languageId=us-en
</p></body></html>