Improper Resolution of Path Equivalence in microweber-dev/whmcs_plugin

Valid

Reported on

Feb 28th 2022


DESCRIPTION

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

STEPS TO REPRODUCE:

There is an open redirection vulnerability in the path of = https://microweber.com/get-started?ref=susp#frameurl=

here is " frameurl= " are vulnerable for open redirect

you bypass this vulnerbility using BASE64 encoded mathod

"https://bing.com" encode this url in base64 so its looks like = aHR0cHM6Ly9iaW5nLmNvbQ==

SO YOU CAN VISIT URL = https://microweber.com/get-started?ref=susp#frameurl=aHR0cHM6Ly9iaW5nLmNvbQ==

YOU CAN SEE THAT URL REDIRECT TO BING.COM

Impact

An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

We are processing your report and will contact the microweber-dev/whmcs_plugin team within 24 hours. 3 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
Peter Ivanov validated this vulnerability 3 months ago
Piyush shukla has been awarded the disclosure bounty
The fix bounty is now up for grabs
Peter Ivanov confirmed that a fix has been merged on 2e7a11 3 months ago
Peter Ivanov has been awarded the fix bounty
embed.js#L64-L74 has been validated
Piyush shukla
3 months ago

Researcher


hello I'm waiting for CVE ID

Piyush shukla
3 months ago

Researcher


any bounty ?

Jamie Slome
3 months ago

Admin


We can go ahead and publish a CVE if the maintainer is happy to do so. With regards to the bounty, this repository is not deemed popular enough by our pricing model to warrant bounty rewards.

Jamie Slome
3 months ago

Admin


@maintainer - can you please confirm that you are happy for us to assign and publish a CVE?

Peter Ivanov
3 months ago

Maintainer


hi, yes you can assign CVE @admin

Jamie Slome
3 months ago

Admin


CVE assigned and published! 🎊

Piyush shukla
3 months ago

Researcher


CVE ID ?

Piyush shukla
3 months ago

Researcher


Hello Thanks for assigned CVE

I want to know when are the Description and References going to be updated on https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0855 ?

Jamie Slome
3 months ago

Admin


Once this PR has been merged, the details will be made available on MITRE/NVD.

to join this conversation