Snowfox CMS v1.0 (rd param) Open Redirect Vulnerability Vendor: Globiz Solutions Product web page: http://www.snowfoxcms.org Affected version: 1.0 Summary: Snowfox is an open source Content Management System (CMS) that allows your website users to create and share content based on permission configurations. Desc: Input passed via the 'rd' GET parameter in 'selectlanguage.class.php' script is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. =========================================================================== \modules\system\controller\selectlanguage.class.php: ---------------------------------------------------- 28: if ($results && isset($inputs['rd'])){ 29: header("location: ".$inputs['rd']); 30: } 31: return $results; =========================================================================== Tested on: Apache/2.4.7 (Win32) PHP/5.5.6 MySQL 5.6.14 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5206 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5206.php 12.11.2014 -- http://10.0.18.3/snowfox/?uri=user/select-language&formAction=submit&rd=http://www.zeroscience.mk&languageId=us-en # Iranian Exploit DataBase = http://IeDb.Ir [2014-11-19]