| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAPYM6Vw7xJd8=y83gWCBcEtMEyBYQetSxE+9jobpnryMiKGtiQ@mail.gmail.com> Date: Mon, 15 Oct 2012 00:38:38 +0800 From: YGN Ethical Hacker Group <lists@...g.net> To: full-disclosure <full-disclosure@...ts.grok.org.uk>, bugtraq <bugtraq@...urityfocus.com>, secalert@...urityreason.com, bugs@...uritytracker.com, vuln <vuln@...unia.com>, vuln@...urity.nnov.ru, news@...uriteam.com, moderators@...db.org, submissions@...ketstormsecurity.org, submit@...ecurity.com, oss-security@...ts.openwall.com Subject: [Full-disclosure] SilverStripe CMS 2.4.7 <= Arbitrary URL Redirection 1. OVERVIEW SilverStripe 2.4.7 and lower versions are vulnerable to Open URL Redirection. 2. BACKGROUND SilverStripe CMS is easy for both developers and content authors to work with. The SilverStripe Framework keeps the code tucked away neatly so that it can be accessed easily by programmers but does not get in the way of content authors. 3. VULNERABILITY DESCRIPTION SilverStripe CMS contains a flaw that allows a remote cross site redirection attack. This flaw exists because the application does not validate the "BackURL" parameter upon submission to the "/index.php/Security/login" script. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. 4. VERSIONS AFFECTED Tested on 2.4.7 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/index.php/Security/login?BackURL=//yehg.net 6. SOLUTION Upgrade to the latest 3.x version. 7. VENDOR SilverStripe Development Team http://www.silverstripe.org/ 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-02-06: notified vendor 2012-10-15: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5BSilverStripe_2.4.7%5D_url_redirection #yehg [2012-10-15] --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists