Listen to this Post
This vulnerability is an open redirect within the `/authentication/` endpoint of Mayan EDMS. The flaw exists due to improper validation of user-supplied redirect URLs. Specifically, the application does not sufficiently sanitize or whitelist the target destination parameter in certain authentication-related requests. An attacker can craft a malicious URL containing the vulnerable `/authentication/` path appended with a deceptive redirect parameter (e.g., `?next=http://evil.com`). When a victim clicks this link, they are first directed to the legitimate Mayan EDMS login page. Upon any authentication interaction or page load logic, the application automatically forwards the user’s browser to the attacker-controlled domain specified in the parameter. This allows phishing attacks where the initial URL appears trustworthy, leveraging the site’s domain to increase credibility. The attack is remote and requires no authentication, relying on user interaction to be successful.
Platform: Mayan EDMS
Version: 4.7.0 – 4.10.1
Vulnerability : Open Redirect
Severity: Low
date: 2024-12-15
Prediction: 2024-12-22
What Undercode Say:
curl -I "http://target/authentication/?next=https://evil.com"
import requests
url = 'http://mayan-server/authentication/'
params = {'next': 'http://attacker.phish/login'}
resp = requests.get(url, params=params, allow_redirects=False)
print(f"Redirect Location: {resp.headers.get('Location')}")
How Exploit:
1. Attacker crafts URL: `http://victim-server/authentication/?next=http://malicious.site/steal`
2. Sends link via email/phishing.
3. Victim clicks, sees legitimate Mayan login page.
4. Page automatically redirects victim to malicious site.
5. Attacker harvests credentials or serves malware.
Protection from this CVE
Upgrade to patched versions: 4.10.2, 4.9.7, 4.8.10, 4.7.8, or 4.6.12.
Implement server-side whitelist for redirect URLs.
Validate all redirect destinations.
Impact:
Phishing attacks credibility increased.
Potential credential theft.
User trust exploitation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

