AdaptCMS 3.0.3 HTTP Referer Header Field Open Redirect Vulnerability Vendor: Insane Visions Product web page: Affected version: 3.0.3 Summary: AdaptCMS is a Content Management System trying to be both simple and easy to use, as well as very agile and extendable. Not only so we can easily create Plugins or additions, but so other developers can get involved. Using CakePHP we are able to achieve this with a built-in plugin system and MVC setup, allowing us to focus on the details and end-users to focus on building their website to look and feel great. Desc: Input passed via the 'Referer' header field is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. ==================================== \lib\Cake\Controller\Controller.php: ------------------------------------ Line: 956 .. .. Line: 974 ------------------------------------ Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5219 Advisory URL: 29.12.2014 -- GET /adaptcms/admin/adaptbb/webroot/foo HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: adaptcms=uu16dmimdemvcq54h3nevq6oa0 Connection: keep-alive Referer: # Iranian Exploit DataBase = http://IeDb.Ir [2015-01-06]