Web2py Open Redirection Vulnerability Technical Details & POC.
# Vulnerability Title : Web2py 2.9.11 Open Redirection Vulnerability
# Reported Date : 27-Jan-2014
# Fixed Date : 2-July-2015
# Author : Narendra Bhati
# CVE ID : CVE-2015-6961
# Additional Links –
* https://github.com/web2py/web2py/issues/731
1. Description
Web2py 2.9.11 A Python based framework was vulnerable to Open Redirection Vulnerability
The logout page "http://127.0.0.1:8000/user/logout?_next=http://websecgeeks.com" is vulnerable to Open Redirection Vulnerability
We can enter any external URL in "_next" GET parameter , Whenever user will access to this url he will get redirected to external site ( attacker site ) - Authentication Is Not Required To Exploit This.
http://127.0.0.1:8000/admin/default/index?password=bhati&send=http%3A%2F%2Fwebsecgeeks.com
This can exploited only if we have admin panel credentials
Vulnerable URL
http://127.0.0.1:8000/user/logout?_next=http://websecgeeks.com
Vulnerable Parameter
"_next"
2. Proof of Concept
http://127.0.0.1:8000/user/logout?_next=http://websecgeeks.com
POC
Solution For Web2py Open Redirection Vulnerability
Update to latest version ;)
No comments:
Post a Comment