Vulnerability Report - Unvalidated open redirection

[honeyakshat999]

Description

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

The vulnerability exists in the file https://github.com/fuge/cms/blob/master/src/foo/cms/action/member/RegisterAct.java where application is taking the nextUrl parameter as a user input and passing it without any validation. in next lines this nextUrl paramter is being used for redirection.

Root Cause

As mentioned above the file https://github.com/fuge/cms/blob/master/src/foo/cms/action/member/RegisterAct.java contains the following code:

 @RequestMapping(value = "/register.jspx", method = RequestMethod.POST)
public String submit(String username, String email, String password,
		CmsUserExt userExt, String captcha, String nextUrl,
		HttpServletRequest request, HttpServletResponse response,
		ModelMap model) throws IOException {  

This code takes in nextUrl as user input and passing it then this parameter is directly being used in line 110

response.sendRedirect(nextUrl);

Steps to reproduce

• Compile and run the following application using java.
• Once done, navigate to the application.
• open /register.jspx endpoint.
• modify the nextUrl parameter and enter the user controlled url. submit it.
• analyze the response.

Proof of concept