← Advisories

phlyLabs phlyMail Lite 4.03.04 (go param) Open Redirect Vulnerability

Low

Advisory ID

ZSL-2013-5123

Release Date

13 January 2013

Vendor

phlyLabs - http://www.phlymail.com

Affected Version

Lite 4.03.04

CVE

CVE-2013-5123

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.4, MySQL 5.5.25a

Summary

phlyMail offers you an interface in the browser to have access to your emails, contacts, appointments, tasks, files and bookmakrs from anyhwere, where you have internet access. This can be your home, workplace, train station, abroad, offroad, in the woods or your own backyard.

Description

Input passed via the 'go' parameter in 'derefer.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

/frontend/derefer.php:
----------------------

if (!isset($_REQUEST['go'])) exit;
$go = preg_replace('!\r|\n|\t!', '', $_REQUEST['go']);
if (strlen($go) == 0) exit;
if (!preg_match('!^(http://|https://|ftp://)!', $go) && $go{0} != '/') $go = 'http://'.$go;

header('Location: '.$go);
exit;

Proof of Concept

phlymail_or.txtTXT

Disclosure Timeline

23.01.2013Vendor releases version 4.3.57 to address this issue.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://cxsecurity.com/issue/WLB-2013010113

[2]http://www.exploit-db.com/exploits/24086/

[3]http://www.securityfocus.com/bid/57303

[4]http://packetstormsecurity.com/files/119527

[5]http://xforce.iss.net/xforce/xfdb/81217