Open Redirect In Login

[kajalNair]

I followed your previous issues and found that it has been already disclosed and closed as "mitigated" but I am still able to reproduce it.
In this scenario, an attacker can directly append "redirect" parameter to the login page URL request and after successful login, it redirects the user to arbitrary page.
The vulnerability is present because application still looks for redirect parameter in URL (in GetSimpleCMS-master\admin\inc\template_functions.php file) and if present, sets the redirection to specified path.

[kajalNair]

The vulnerable function:

function gotoDefaultPage(){
	if (isset($_GET['redirect'])) redirect(htmlentities($_GET['redirect']));
	else redirect(getDef('GSDEFAULTPAGE'));

}

[tablatronix]

#1300

What version is this against?

[kajalNair]

[kajalNair]

3.4.0 version

[tablatronix]

ok, thanks

Looks like this was only hotfixed, 3.x

[kajalNair]

Does this qualify for a CVE?

[tablatronix]

3.4 is alpha, so not release. Probably not

[tablatronix]

https://github.com/GetSimpleCMS/GetSimpleCMS/releases/tag/v3.4.0.9

[kajalNair]

okay, cool.