Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability

[zeroscience]

Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability


Vendor: Globiz Solutions
Product web page: http://www.snowfoxcms.org
Affected version: 1.0

Summary: Snowfox is an open source Content Management System (CMS)
that allows your website users to create and share content based
on permission configurations.

Desc: Input passed via the 'rd' GET parameter in 'selectlanguage.class.php'
script is not properly verified before being used to redirect users. This
can be exploited to redirect a user to an arbitrary website e.g. when a user
clicks a specially crafted link to the affected script hosted on a trusted
domain.

===========================================================================
\modules\system\controller\selectlanguage.class.php:
----------------------------------------------------

28: if ($results && isset($inputs['rd'])){
29:      header("location: ".$inputs['rd']);
30: }
31: return $results;

===========================================================================

Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5206
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5206.php



12.11.2014

--


http://10.0.18.3/snowfox/?uri=user/select-language&formAction=submit&rd=http://www.zeroscience.mk&languageId=us-en

http://www.zeroscience.mk/mk/vulnerabilities/ZSL-2014-5206.php

 

[LiquidWorm]

Закрпа (v1.0.10): https://github.com/GlobizSolutions/snowfox/releases