Headline
CVE-2023-34916: Vulnerability Report - Unvalidated open redirection in ProcessAct.java · Issue #4 · fuge/cms
Fuge CMS v1.0 contains an Open Redirect vulnerability via /front/ProcessAct.java.
Description
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
The vulnerability exists in the file https://github.com/fuge/cms/blob/master/src/foo/core/action/front/ProcessAct.java where application is taking RETURN_URL parameter as a user input and passing it without any validation. in next lines this returnUrl paramter is being used for redirection.
Root Cause
As mentioned above the file https://github.com/fuge/cms/blob/master/src/foo/core/action/front/ProcessAct.java contains the following code:
@RequestMapping(value = "/process.jspx", method = RequestMethod.GET)
public String process(HttpServletRequest request,
HttpServletResponse response) {
String returnUrl = RequestUtils.getQueryParam(request,
LoginAct.RETURN_URL);
String authId = RequestUtils.getQueryParam(request, AUTH_KEY);
Authentication auth = authMng.retrieve(authId);
if (auth != null) {
authMng.storeAuthIdToSession(session, request, response, auth
.getId());
} else {
log.warn("Authentication id not found: {}", authId);
}
return "redirect:" + returnUrl;
}
Steps to reproduce
- Compile and run the following application using java.
- navigate to /process.jspx endpoint.
- modify the RETURN_URL parameter and enter the user controlled url. submit it.
- analyze the response.
Proof of Concept