Security Advisory – Open URL Redirect in Koozali SME Server

Product: Koozali SME Server
Vendor: Koozali Foundation/Open Source Software
Version: 8.x, 9.x, 10.x
Category: Open URL Redirect
Vendor Notified: 2017-01-11
Patched: 2017-01-23
Disclosed: 2017-02-02
Researcher(s): Carl Pearson
CVE: CVE-2017-1000027

Summary
An open URL redirect vulnerability exists in the user login function of Koozali SME Server. The server fails to validate the URL value of the ‘back’ parameter. An unauthenticated remote attacker can exploit this vulnerability by crafting a link to the SME Server login page with an arbitrary attacker-chosen URL supplied for the ‘back’ parameter and convincing a user to click it. Upon login, the user is redirected to the URL supplied in the ‘back’ parameter. The user must supply valid credentials on the first login attempt or the URL changes and the attack fails.

Proof of Concept
The following link would redirect users to http://www.google.com after successfully authenticating to the SME server:
https://[server name or IP]/server-common/cgi-bin/login?back=https%253a%252f%252fwww.google.com%252F

Impact
The browser cookie/authentication token is tacked on as a parameter by the server before sending clients to the redirect URL. Therefore, if successful an attacker can obtain the authenticated user’s cookie and use it to gain access to their SME Server account.

Solution
Update the e-smith-manager package on an SME Server installation to the latest version (yum update e-smith-manager). Refer to the SME Server security notice here: https://forums.contribs.org/index.php/topic,52838.0.html.

Reference
SME Server Security Notice: https://forums.contribs.org/index.php/topic,52838.0.html
Project Home: https://wiki.contribs.org/Main_Page
OWASP Open URL Redirects Overview: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Edit 7/13/17: CVE identifier added.

Advertisements

One thought on “Security Advisory – Open URL Redirect in Koozali SME Server

  1. Pingback: CVE-2017-1000027 – 安百科技

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s