← Advisories

Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability

Low
Advisory ID
ZSL-2014-5206
Release Date
18 November 2014
Vendor
Globiz Solutions - http://www.snowfoxcms.org
Affected Version
1.0
CVE
CVE-2014-9343
Tested On
Apache/2.4.7 (Win32), PHP/5.5.6, MySQL 5.6.14
Summary

Snowfox is an open source Content Management System (CMS) that allows your website users to create and share content based on permission configurations.

Description

Input passed via the 'rd' GET parameter in 'selectlanguage.class.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

/modules/system/controller/selectlanguage.class.php: ---------------------- 28: if ($results && isset($inputs['rd'])){ 29: header("location: ".$inputs['rd']); 30: } 31: return $results;
Proof of Concept
snowfox_url.txtTXT
Disclosure Timeline
20.11.2014Vendor releases version 1.0.10 to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://cxsecurity.com/issue/WLB-2014110127
[2]http://packetstormsecurity.com/files/129162
[3]http://www.securityfocus.com/bid/71174
[4]http://xforce.iss.net/xforce/xfdb/98811
[5]https://github.com/GlobizSolutions/snowfox/releases
[6]http://osvdb.org/show/osvdb/114850
[7]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9343
[8]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9343
Changelog
18.11.2014Initial release
19.11.2014Added reference [1], [2] and [3]
20.11.2014Added vendor status and reference [4], [5] and [6]
09.12.2014Added reference [7] and [8]