# Title: Open Redirect DoorGets CMS # Version: 7.0 # vendor: https://github.com/doorgets/doorGets/ # Tested on: Windows 64-bit # Author: Rudra Sarkar (@rudr4_sarkar) # CVE: 2016-3726 1. Affected Param back= 2. Full URL http://127.0.0.1/dg-user/?controller=authentification&back=http%3A%2F%2Fexploitlab.ex%2F 3. Go to login page you will get this type of URL 4. Now time for Redirect 5. Change the back= parm URL http://exploitlab.ex/dg-user/?controller=authentification&back=http%3a%2f%2fevil.com%2f 6. Evil URL Like http://evil.com/ i encode the special charecter. 7. Now enter the URL in browser and press enter you will see login page. 8. Now Login using your email password 9. You will redirected to http://evil.com # Timeline 18-06-17: Reported to the vendor 28-06-17: No reply from vendor 01-07-17: Assigned CVE-2016-3726 # Iranian Exploit DataBase = http://IeDb.Ir [2017-07-02]