Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Advisory from Netsparker - GetSimpleCMS - Open Redirection #1300

Closed
DanielBishtawi opened this issue Nov 12, 2018 · 7 comments
Closed

Advisory from Netsparker - GetSimpleCMS - Open Redirection #1300

DanielBishtawi opened this issue Nov 12, 2018 · 7 comments

Comments

@DanielBishtawi
Copy link

Hello,

While testing the Netsparker web application security scanner we identified a Open Redirection vulnerability in GetSimpleCMS. Can you please advise whom shall we contact to disclose the vulnerability details so it can be fixed?

Please email me at daniel@netsparker.com for the technical details.

Looking forward to hearing from you.

Regards,

Daniel Bishtawi
Marketing Administrator | Netsparker Web Application Security Scanner

@tablatronix
Copy link
Member

Just disclose here

@DanielBishtawi
Copy link
Author

Hello Shawn,

Thank you for getting back to us. This vulnerability was identified by Mithat Gogebaka.

The details are below, once you start working on a fix, please keep us posted on the status of the fix. We would also appreciate if you can mention us and link to our website (https://www.netsparker.com) in your release announcement content.

Open Redirection vulnerability Technical details:

URL : http://localhost/GetSimpleCMS-3.3.13/admin/index.php?redirect=http://r87.com/?localhost/
Parameter Name : redirect
Parameter Type : GET
Attack Pattern : http://r87.com/?localhost/

Should there be anything else we can help you with, please do not hesitate to ask.

@tablatronix tablatronix added this to the 3.3.16 milestone Nov 12, 2018
@tablatronix
Copy link
Member

tablatronix commented Nov 12, 2018

$cookie_redirect in configuration.php, used in login_functions.php

purpose

redirect after login success to original destination

bug

accepts arbitrary string from query redirect passes to redirect()

sanitize

  • sanitize redirect to local, or prepend context
  • no newlines in header ( should be ok though in php 5.2+ ) but still
  • additionally add whitelist of pages and actions allowed in redirect ( partially implemented in 3.4 )

Mitigation / Workaround

  • remove from configuration.php
if (isset($_GET['redirect'])){
	// $cookie_redirect = $_GET['redirect']; // REMOVE
        $cookie_redirect = 'pages.php';
} else {	
	$cookie_redirect = 'pages.php';
}

@tablatronix
Copy link
Member

tablatronix commented Nov 12, 2018

Possible additional vector, although severity is low as it requires a nonce

changedata.php

			if ($_POST['redirectto']!='') {
				$redirect_url = $_POST['redirectto'];

No idea what this is for, it comes from js

@DanielBishtawi
Copy link
Author

@tablatronix What is the status of the fix?

@fgeek
Copy link

fgeek commented Mar 22, 2019

MITRE assigned CVE-2019-9915 for this vulnerability.

tablatronix pushed a commit that referenced this issue May 22, 2019
mitigate open redirection, removes redirect to original request on login
@tablatronix
Copy link
Member

Mitigated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants