- href="%3C?php%20echo%20k_create_link(array('status',%20'pg'));%20?%3E">t('all'); ?> |
- href="%3C?php%20echo%20k_create_link(array('status',%20'pg'));%20?%3E&status=0">t('unapproved'); ?> |
- href="%3C?php%20echo%20k_create_link(array('status',%20'pg'));%20?%3E&status=1">t('approved'); ?> (of '.$page_title.')'; } ?>
| t('view'); ?> | t('edit'); ?> | t('delete'); ?>
Open Redirect The filter which checks if a user supplied redirect value leads to external pages can be bypassed by an attacker. Proof of Concept (Only works for logged in victims or after login): http://localhost/CouchCMS-1.4.5/couch/login.php?redirect=//google.com Code: /couch/auth/auth.php function redirect( $dest ){ global $FUNCS, $DB; // sanity checks $dest = $FUNCS->sanitize_url( trim($dest) ); if( !strlen($dest) ){ $dest = ( $this->user->access_level < K_ACCESS_LEVEL_ADMIN ) ? K_SITE_URL : K_ADMIN_URL . K_ADMIN_PAGE; } elseif( strpos(strtolower($dest), 'http')===0 ){ if( strpos($dest, K_SITE_URL)!==0 ){ // we don't allow redirects external to our site $dest = K_SITE_URL; } } $DB->commit( 1 ); header( "Location: ".$dest ); die(); } 4. Solution To mitigate this issue please upgrade at least to version 1.4.7: http://ift.tt/1Psz3AY Please note that a newer version might already be available. 5. Report Timeline 11/17/2015 Informed Vendor about Issue 11/18/2015 Vendor sends fixes for confirmation 11/20/2015 Verified fixes 11/24/2015 Vendor releases fix 12/21/2015 Disclosed to public Blog Reference: http://ift.tt/1JuUficSource: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment