AdaptCMS 3.0.3 HTTP Referer Header Field Open Redirect Vulnerability

Title: AdaptCMS 3.0.3 HTTP Referer Header Field Open Redirect Vulnerability
Advisory ID: ZSL-2015-5219
Type: Local/Remote
Impact: Spoofing
Risk: (2/5)
Release Date: 05.01.2015
Summary
AdaptCMS is a Content Management System trying to be both simple and easy to use, as well as very agile and extendable. Not only so we can easily create Plugins or additions, but so other developers can get involved. Using CakePHP we are able to achieve this with a built-in plugin system and MVC setup, allowing us to focus on the details and end-users to focus on building their website to look and feel great.
Description
Input passed via the 'Referer' header field is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.
Vendor
Insane Visions - http://www.adaptcms.com
Affected Version
3.0.3
Tested On
Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vendor Status
N/A
PoC
adaptcms_url.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.com/files/129813
[2] http://www.securityfocus.com/bid/71871
[3] http://cxsecurity.com/issue/WLB-2015010021
[4] http://osvdb.org/show/osvdb/116721
[5] http://xforce.iss.net/xforce/xfdb/99618
[6] http://www.exploit-db.com/exploits/35710/
[7] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1060
[8] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1060
Changelog
[05.01.2015] - Initial release
[06.01.2015] - Added reference [1], [2], [3], [4], [5] and [6]
[17.01.2015] - Added reference [7] and [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk