Exploit Title: Newtelligence dasBlog Dest Redirect Privilege Escalation Vulnerability
Product: dasBlog
Vendor: Newtelligence
Vulnerable Versions: 2.3 (2.3.9074.18820) 2.2 (2.2.8279.16125) 2.1(2.1.8102.813)
Tested Version: 2.3 (2.3.9074.18820)
Advisory Publication: OCT 15, 2014
Latest Update: OCT 15, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]
Advisory Details:
Newtelligence dasBlog ct.ashx is vulnerable to Open Redirect attacks.
dasBlog
supports a feature called Click-Through which basically tracks all
links clicked inside your blog posts. It's a nice feature that allows
the blogger to stay informed what kind of content readers like. If
Click-Through is turned on, all URLs inside blog entries will be
replaced with <URL to your blog>/ct.ashx?id=<Blog entry
ID>&url=<URL-encoded original URL> which of course breaks
WebSnapr previews.
Web.config code:
<add verb="*"
path="ct.ashx"
type="newtelligence.DasBlog.Web.Services.ClickThroughHandler,
newtelligence.DasBlog.Web.Services"/>
(1) The vulnerability occurs at "ct.ashx?" page, with "&url" parameter,.
Solutions:
2014-10-15 Public disclosure with self-written patch.
References:
No comments:
Post a Comment