Improper Resolution of Path Equivalence in microweber-dev/whmcs_plugin
Feb 28th 2022
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.
STEPS TO REPRODUCE:
There is an open redirection vulnerability in the path of = https://microweber.com/get-started?ref=susp#frameurl=
here is " frameurl= " are vulnerable for open redirect
you bypass this vulnerbility using BASE64 encoded mathod
"https://bing.com" encode this url in base64 so its looks like = aHR0cHM6Ly9iaW5nLmNvbQ==
SO YOU CAN VISIT URL = https://microweber.com/get-started?ref=susp#frameurl=aHR0cHM6Ly9iaW5nLmNvbQ==
YOU CAN SEE THAT URL REDIRECT TO BING.COM
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.