← Advisories

u5CMS 3.9.3 Multiple Open Redirect Vulnerabilities

Low
Advisory ID
ZSL-2015-5227
Release Date
09 February 2015
Vendor
Stefan P. Minder - http://www.yuba.ch
Affected Version
3.9.3 and 3.9.2
CVE
CVE-2015-1578
Tested On
Apache 2.4.10 (Win32), PHP 5.6.3, MySQL 5.6.21
Summary

u5CMS is a little, handy Content Management System for medium-sized websites, conference / congress / submission administration, review processes, personalized serial mails, PayPal payments and online surveys based on PHP and MySQL and Apache.

Description

Input passed via the 'uri' GET parameter in 'meta2.php' script and using Cookie 'pidvesa' is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

Proof of Concept
u5cms_url.txtTXT
Disclosure Timeline
29.12.2014Vulnerabilities discovered.
04.02.2015Contact with the vendor.
04.02.2015Vendor replies asking more details.
05.02.2015Sent details to the vendor.
06.02.2015Vendor releases version 3.9.4 to address these issues.
09.02.2015Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://yuba.ch/index.php?c=u5cms&l=en
[2]http://xforce.iss.net/xforce/xfdb/100772
[3]http://cxsecurity.com/issue/WLB-2015020035
[4]http://packetstormsecurity.com/files/130317
[5]http://osvdb.org/show/osvdb/118206
[6]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1578
[7]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1578
Changelog
09.02.2015Initial release
11.02.2015Added reference [2], [3] and [4]
12.02.2015Added reference [5], [6] and [7]