To Report a Open URL Redirect Security Vulnerability in zurmo v3.1.1.7

Issue #425 closed
Unknown user 92090 created an issue

Description:

I would like to report a vulnerability that I have found today on
zurmo-stable-3.1.1.7 in which the attacker can redirect the victim
into a malicious domain.

Technical Description: Unvalidated redirects/Open url redirects and
forwards are possible when a web application accepts untrusted input
that could cause the web application to redirect the request to a URL
contained within untrusted input. By modifying untrusted URL input to
a malicious site, an attacker may successfully launch a phishing scam
and steal user credentials. Because the server name in the modified
link is identical to the original site, phishing attempts may have a
more trustworthy appearance. Unvalidated redirect and forward attacks
can also be used to maliciously craft a URL that would pass the
application's access control check and then forward the attacker to
privileged functions that they would normally not be able to access.

Vulnerability Type

Open URL Redirects and Forwards

Affected Product Code Base

Zurmo CRM - zurmo-stable-3.1.1.7b482704bc58

Affected Component

  1. https://localhost/zurmo/app/index.php/zurmo/default/toggleCollapse?returnUrl=http://provensec.com
  2. https://localhost/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=https://paypal.com

Attack Vectors

Steps:

1.Login into zurmo-crm by user(tested on super user).

2.Open the first url it will redirect user directly without any kind of input.

3.For second url:

a. Goto https://localhost/zurmo/app/index.php/meetings/default/createMeeting

b. Enter any redirect url. In our case ?redirectUrl=https://paypal.com

c. Fill the meeting form, then by clicking on save button user is redirected to the malicious url.

Reference

https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Discoverer

Organization: Provensec LLC
Website: http://provensec.com/

Comments (14)

  1. Unknown user 7b331

    I tested this on demo.zurmo.com and was not able to replicate it. The demo is running on 3.2.1 and the latest downloadable version is 3.2.1.
    The issue seems to be patched with current versions.

  2. Unknown user 92090 reporter

    Hello,

    I did not check that vulnerability in the current version. I mentioned the version in which I found the flaw.

  3. Unknown user 7b331

    Don't get me wrong, it's great you found something, but why look into such an old version in the first place and not check if the vulnerability has been patched already?
    I guess you can close this ticket, as the fix is already deployed.

  4. Unknown user 92090 reporter

    Gabriel Shahzad, I am not getting you in wrong way. I reported that vulnerability on 2017-03-09 before three months at that time it is a latest and stable version of zurmo.

  5. Unknown user 92090 reporter

    Okay,
    Gabriel, I will close the ticket because that flaw is not present in a new version.

  6. Log in to comment