Headline
CVE-2023-41609: CouchCMS v2.3 exists an open redirect vulnerability · Issue #190 · CouchCMS/CouchCMS
An open redirect vulnerability in the sanitize_url() parameter of CouchCMS v2.3 allows attackers to redirect a victim user to an arbitrary web site via a crafted URL.
The function sanitize_url() used to filter urls in /couch/functions.php does not set strict filtering rules.I found that the code does not filter \ characters.Although https:\www.bing.com is not a legitimate request,the URL of the request will be checked and corrected in the browser,resulting in the URL being corrected to https://www.bing.com, resulting in the vulnerability.
function sanitize_url( $url, $default=’’, $only_local=0 ){ $url = trim( $url ); $default = trim( $default );
if( strlen($url) ){
// Only chars permitted to remain unencoded in urls remain
$url = preg\_replace( array('/</', '/>/', '/"/', '/\\x00+/'), array('', '', '', ''), $url );
$url = preg\_replace( '|\[^a-z0-9:#@%/;,\\'$()~\_?\\+-=\\\\\\.&!\]|i', '', $url );
// remove newlines
$newlines = array('%0d', '%0D', '%0a', '%0A');
$found = true;
while( $found == true ){
$val\_before = $url;
for( $i = 0; $i < count($newlines); $i++ ){
$url = str\_replace( $newlines\[$i\], '', $url );
}
if( $val\_before == $url ){ $found = false; }
}
if( strlen($url) ){
if( $only\_local ){ // don't allow redirects external to our site
if( !strlen($default) ) $default\=K\_SITE\_URL;
if( strpos($url, '//')!==false ){
if( strpos($url, K\_SITE\_URL)!==0 ){
$url = $default;
}
}
elseif( strpos($url, '/\\\\')===0 ){
$url = $default;
}
}
}
else{
$url = $default;
}
}
else{
$url = $default;
}
return $url;
}