Open URL Redirects / Unvalidated Redirects

Issue #431 new
Meshach M
created an issue

Description:

Hi, Hereby I would like to report a security vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 in which an attacker can redirect the victim into a malicious domain by modifying the URL value to a malicious site and may successfully launch a phishing scam and steal user credentials.

Technical Description:

According to OWASP, Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application's access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Vulnerability Type: Open URL Redirects / Unvalidated Redirects

Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018

Affected Component: http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=http://www.strongboxit.com/ (Will add more when I test other components too)

Attack Vectors: Steps to Replicate:

  1. Login into zurmo-crm (User: super user).

  2. Go to the http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=%2Fzurmo%2Fapp%2Findex.php%2Fhome%2Fdefault&startDate=2017-09-12.

  3. Enter any redirect URL by modifying the original redirect URL and press enter. In this test case, I have used ?redirectUrl=http://www.strongboxit.com/.

  4. Fill the meeting form. Once done then click save. By clicking save button, the user will be redirected to the entered/modified (malicious) URL.

Reference: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Discoverer: Meshach. M

Organization: StrongBox IT

Website: http://www.strongboxit.com/

Comments (10)

  1. Log in to comment