Account Takeover through Login/Redirect

[grozdniyandy]

Description

Login credentials should be posted only via POST request but get sent via GET request.

Proof of Concept

https://demo.microweber.org/v2/api/user_login?username=admin&password=password&http_redirect=1&where_to=admin_content

Impact

Attacker will get credentials through traffic as they are passed in GET request

Remediation

I think the problem is with the redirect after login. I am not a programmer but maybe issue is related to this code

                <?php if (isset($_GET['redirect'])): ?>
                <input type="hidden" value="<?php echo mw()->format->clean_xss($_GET['redirect']); ?>" name="redirect">
                <?php endif; ?>

Reference

https://cwe.mitre.org/data/definitions/598.html - Use of GET Request Method With Sensitive Query Strings

CVSS Score

Request

It would be great if it is possible to assign a CVE as huntr dev is not accepting reports to your repo.

[peter-mw]

Thanks for report. Fixed for version 2.0.4

[grozdniyandy]

Thanks for the reply. Is there any way to hunt and get CVEs, because huntr.dev (huntr.com) is no longer accepting responses and I really wanna pentest your product.

[peter-mw]

hi , can you try to submit from the profile link https://huntr.com/repos/microweber/microweber

[grozdniyandy]

It doesn't get submitted no matter what I do, i guess the product isn't supported anymore.

[peter-mw]

Hi, i have send them a message from the contact form at https://huntr.com/contact-us

[grozdniyandy]

Thanks! Please let me know if there is any update!

[peter-mw]

This is what i got as response on discord

[grozdniyandy]

That's sad, I submitted CVE to MITRE, hopefully they will reply. Thanks for contacting them!