Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability

Title: Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability
Advisory ID: ZSL-2014-5206
Type: Local/Remote
Impact: Spoofing
Risk: (2/5)
Release Date: 18.11.2014
Summary
Snowfox is an open source Content Management System (CMS) that allows your website users to create and share content based on permission configurations.
Description
Input passed via the 'rd' GET parameter in 'selectlanguage.class.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

--------------------------------------------------------------------------------

/modules/system/controller/selectlanguage.class.php:
----------------------

28: if ($results && isset($inputs['rd'])){
29: header("location: ".$inputs['rd']);
30: }
31: return $results;

--------------------------------------------------------------------------------

Vendor
Globiz Solutions - http://www.snowfoxcms.org
Affected Version
1.0
Tested On
Apache/2.4.7 (Win32)
PHP/5.5.6
MySQL 5.6.14
Vendor Status
[20.11.2014] Vendor releases version 1.0.10 to address this issue.
PoC
snowfox_url.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2014110127
[2] http://packetstormsecurity.com/files/129162
[3] http://www.securityfocus.com/bid/71174
[4] http://xforce.iss.net/xforce/xfdb/98811
[5] https://github.com/GlobizSolutions/snowfox/releases
[6] http://osvdb.org/show/osvdb/114850
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9343
[8] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9343
Changelog
[18.11.2014] - Initial release
[19.11.2014] - Added reference [1], [2] and [3]
[20.11.2014] - Added vendor status and reference [4], [5] and [6]
[09.12.2014] - Added reference [7] and [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk