OrangeForum 1.4.0 Open Redirection

OrangeForum 1.4.0 Open Redirection

OrangeForum 1.4.0 - Open Redirection
Advisory ID: RO-18-003
Severity: OrangeForum 1.4.0 Open Redirection

OrangeForum 1.4.0 - Open Redirection
Advisory ID: RO-18-003
Severity: Medium
Vendor: OrangeForum
Product: OrangeForum
Version: 1.4.0


Overview #

An Open Redirection vulnerability exists in OrangeForum version 1.4.0. The vulnerability allows remote attackers to redirect users to arbitrary external websites.


Vulnerability Details #

Affected Versions: 1.4.0 and earlier

Root Cause: Insufficient validation of redirect URLs allows attackers to redirect users to malicious websites.


Exploitation Requirements #

No authentication required
Victim must click a crafted link

Impact #

Remote attackers can exploit this vulnerability to:

Redirect users to phishing sites
Steal user credentials via fake login pages
Distribute malware

Proof of Concept #

Details available upon request.


Solution #

Upgrade to a patched version of OrangeForum that includes proper URL validation.


References #

Vendor notification sent

Timeline:

[2018-01-01] - Discovered

Credits: Omar Kurt