Product: Koozali SME Server
Vendor: Koozali Foundation/Open Source Software
Version: 8.x, 9.x, 10.x
Category: Open URL Redirect
Vendor Notified: 2017-01-11
Researcher(s): Carl Pearson
An open URL redirect vulnerability exists in the user login function of Koozali SME Server. The server fails to validate the URL value of the ‘back’ parameter. An unauthenticated remote attacker can exploit this vulnerability by crafting a link to the SME Server login page with an arbitrary attacker-chosen URL supplied for the ‘back’ parameter and convincing a user to click it. Upon login, the user is redirected to the URL supplied in the ‘back’ parameter. The user must supply valid credentials on the first login attempt or the URL changes and the attack fails.
Proof of Concept
The following link would redirect users to http://www.google.com after successfully authenticating to the SME server:
https://[server name or IP]/server-common/cgi-bin/login?back=https%253a%252f%252fwww.google.com%252F
The browser cookie/authentication token is tacked on as a parameter by the server before sending clients to the redirect URL. Therefore, if successful an attacker can obtain the authenticated user’s cookie and use it to gain access to their SME Server account.
Update the e-smith-manager package on an SME Server installation to the latest version (yum update e-smith-manager). Refer to the SME Server security notice here: https://forums.contribs.org/index.php/topic,52838.0.html.
SME Server Security Notice: https://forums.contribs.org/index.php/topic,52838.0.html
Project Home: https://wiki.contribs.org/Main_Page
OWASP Open URL Redirects Overview: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Edit 7/13/17: CVE identifier added.