Product: Koozali SME Server
Vendor: Koozali Foundation/Open Source Software
Version: 8.x, 9.x, 10.x
Category: Open URL Redirect
Vendor Notified: 2017-01-11
Patched: 2017-01-23
Disclosed: 2017-02-02
Researcher(s): Carl Pearson
CVE: CVE-2017-1000027
Summary
An open URL redirect vulnerability exists in the user login function of Koozali SME Server. The server fails to validate the URL value of the ‘back’ parameter. An unauthenticated remote attacker can exploit this vulnerability by crafting a link to the SME Server login page with an arbitrary attacker-chosen URL supplied for the ‘back’ parameter and convincing a user to click it. Upon login, the user is redirected to the URL supplied in the ‘back’ parameter. The user must supply valid credentials on the first login attempt or the URL changes and the attack fails.
Proof of Concept
The following link would redirect users to http://www.google.com after successfully authenticating to the SME server:
https://[server name or IP]/server-common/cgi-bin/login?back=https%253a%252f%252fwww.google.com%252F
Impact
The browser cookie/authentication token is tacked on as a parameter by the server before sending clients to the redirect URL. Therefore, if successful an attacker can obtain the authenticated user’s cookie and use it to gain access to their SME Server account.
Solution
Update the e-smith-manager package on an SME Server installation to the latest version (yum update e-smith-manager). Refer to the SME Server security notice here: https://forums.contribs.org/index.php/topic,52838.0.html.
Reference
SME Server Security Notice: https://forums.contribs.org/index.php/topic,52838.0.html
Project Home: https://wiki.contribs.org/Main_Page
OWASP Open URL Redirects Overview: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Edit 7/13/17: CVE identifier added.
Carl's blog 
Pingback: CVE-2017-1000027 – 安百科技