Thursday, 10 September 2015

Web2py 2.9.11 Open Redirection Vulnerability , CVE-2015-6961


Web2py Open Redirection Vulnerability Technical Details & POC.

# Vulnerability Title : Web2py 2.9.11  Open Redirection Vulnerability
# Reported Date      : 27-Jan-2014
# Fixed Date             : 2-July-2015
#  Author                   : Narendra Bhati
# CVE ID                  : CVE-2015-6961
# Additional Links –
* https://github.com/web2py/web2py/issues/731



1. Description

Web2py 2.9.11 A Python based framework was vulnerable to Open Redirection Vulnerability

The logout page "http://127.0.0.1:8000/user/logout?_next=http://websecgeeks.com" is vulnerable to Open Redirection Vulnerability

We can enter any external URL in "_next" GET parameter , Whenever user will access to this url he will get redirected to external site ( attacker site )  - Authentication Is Not Required To Exploit This.



http://127.0.0.1:8000/admin/default/index?password=bhati&send=http%3A%2F%2Fwebsecgeeks.com

This can exploited only if we have admin panel credentials



Vulnerable URL

http://127.0.0.1:8000/user/logout?_next=http://websecgeeks.com

Vulnerable Parameter

"_next"
2. Proof of Concept



http://127.0.0.1:8000/user/logout?_next=http://websecgeeks.com
POC






Solution For Web2py Open Redirection Vulnerability



Update to latest version ;)

No comments:

Post a Comment

Featured post

Yandex IMAP Brute Forcing(No Rate Limit For Login Attempts)

Hello Guyzssss, I am not in bug bounty so much, But while using one of the yandex service, I found that there was no Rate Limit Deploye...

Popular Posts