{"id":39,"date":"2017-02-02T23:14:40","date_gmt":"2017-02-02T23:14:40","guid":{"rendered":"https:\/\/cp270.wordpress.com\/?p=39"},"modified":"2021-01-03T16:45:12","modified_gmt":"2021-01-03T16:45:12","slug":"security-advisory-open-url-redirect-in-sme-server","status":"publish","type":"post","link":"https:\/\/cpearson.icu\/?p=39","title":{"rendered":"Security Advisory &#8211; Open URL Redirect in Koozali SME Server"},"content":{"rendered":"<p><strong>Product:<\/strong> Koozali SME Server<br \/>\n<strong>Vendor:<\/strong> Koozali Foundation\/Open Source Software<br \/>\n<strong>Version:<\/strong> 8.x, 9.x, 10.x<br \/>\n<strong>Category:<\/strong> Open URL Redirect<br \/>\n<strong>Vendor Notified:<\/strong> 2017-01-11<br \/>\n<strong>Patched:<\/strong> 2017-01-23<br \/>\n<strong>Disclosed:<\/strong> 2017-02-02<br \/>\n<strong>Researcher(s):<\/strong> Carl Pearson<br \/>\n<strong>CVE:<\/strong> CVE-2017-1000027<\/p>\n<p><strong>Summary<\/strong><br \/>\nAn open URL redirect vulnerability exists in the user login function of Koozali SME Server. The server fails to validate the URL value of the &#8216;back&#8217; parameter. An unauthenticated remote attacker can exploit this vulnerability by crafting a link to the SME Server login page with an arbitrary attacker-chosen URL supplied for the &#8216;back&#8217; parameter and convincing a user to click it. Upon login, the user is redirected to the URL supplied in the &#8216;back&#8217; parameter. The user must supply valid credentials on the first login attempt or the URL changes and the attack fails.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/>\nThe following link would redirect users to www.google.com after successfully authenticating to the SME server:<br \/>\n<a href=\"#\">https:\/\/[server name or IP]\/server-common\/cgi-bin\/login?back=https%253a%252f%252fwww.google.com%252F<\/a><\/p>\n<p><strong>Impact<\/strong><br \/>\nThe browser cookie\/authentication token is tacked on as a parameter by the server before sending clients to the redirect URL. Therefore, if successful an attacker can obtain the authenticated user&#8217;s cookie and use it to gain access to their SME Server account.<\/p>\n<p><strong>Solution<\/strong><br \/>\nUpdate the e-smith-manager package on an SME Server installation to the latest version (yum update e-smith-manager). Refer to the SME Server security notice here: https:\/\/forums.contribs.org\/index.php\/topic,52838.0.html.<\/p>\n<p><strong>Reference<\/strong><br \/>\nSME Server Security Notice: https:\/\/forums.contribs.org\/index.php\/topic,52838.0.html<br \/>\nProject Home: https:\/\/wiki.contribs.org\/Main_Page<br \/>\nOWASP Open URL Redirects Overview: https:\/\/www.owasp.org\/index.php\/Unvalidated_Redirects_and_Forwards_Cheat_Sheet<\/p>\n<p>Edit 7\/13\/17: CVE identifier added.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Product: Koozali SME Server Vendor: Koozali Foundation\/Open Source Software Version: 8.x, 9.x, 10.x Category: Open URL Redirect Vendor Notified: 2017-01-11 Patched: 2017-01-23 Disclosed: 2017-02-02 Researcher(s): Carl Pearson CVE: CVE-2017-1000027 Summary An open URL redirect vulnerability exists in the user login function of Koozali SME Server. The server fails to validate [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-39","post","type-post","status-publish","format-standard","hentry","category-advisory"],"_links":{"self":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts\/39","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=39"}],"version-history":[{"count":1,"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts\/39\/revisions"}],"predecessor-version":[{"id":170,"href":"https:\/\/cpearson.icu\/index.php?rest_route=\/wp\/v2\/posts\/39\/revisions\/170"}],"wp:attachment":[{"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=39"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=39"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cpearson.icu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=39"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}