OrangeForum 1.4.0 - Open Redirection

Advisory ID: RO-18-003
Severity: Medium
Vendor: OrangeForum
Product: OrangeForum
Version: 1.4.0

Overview #

An Open Redirection vulnerability exists in OrangeForum version 1.4.0. The vulnerability allows remote attackers to redirect users to arbitrary external websites.

Vulnerability Details #

Affected Versions: 1.4.0 and earlier

Root Cause: Insufficient validation of redirect URLs allows attackers to redirect users to malicious websites.

Exploitation Requirements #

  • No authentication required
  • Victim must click a crafted link

Impact #

Remote attackers can exploit this vulnerability to:

  • Redirect users to phishing sites
  • Steal user credentials via fake login pages
  • Distribute malware

Proof of Concept #

Details available upon request.

Solution #

Upgrade to a patched version of OrangeForum that includes proper URL validation.

References #

  • Vendor notification sent

Timeline:

  • [2018-01-01] - Discovered

Credits: Omar Kurt