DoorGets CMS 7.0 Open Redirect

DoorGets CMS version 7.0 suffers from an open redirect vulnerability.


MD5 | 1bcf47aa92dd9245470a475367ee8161

# Title: Open Redirect DoorGets CMS
# Version: 7.0
# vendor: https://github.com/doorgets/doorGets/
# Tested on: Windows 64-bit
# Author: Rudra Sarkar (@rudr4_sarkar)
# CVE: 2016-3726

1. Affected Param back=
2. Full URL
http://127.0.0.1/dg-user/?controller=authentification&back=http%3A%2F%2Fexploitlab.ex%2F
3. Go to login page you will get this type of URL
4. Now time for Redirect
5. Change the back= parm URL
http://exploitlab.ex/dg-user/?controller=authentification&back=http%3a%2f%2fevil.com%2f
6. Evil URL Like http://evil.com/ i encode the special charecter.
7. Now enter the URL in browser and press enter you will see login page.
8. Now Login using your email password
9. You will redirected to http://evil.com

# Timeline
18-06-17: Reported to the vendor
28-06-17: No reply from vendor
01-07-17: Assigned CVE-2016-3726

Related Posts

Comments