CVE-2018-8937

Vulnerability

Open-AudIT Professional 2.1 fails to validate the redirect_url parameter in the /login URI. An attacker can supply an arbitrary URL, including a data:text/html;base64,... payload containing JavaScript code, causing the application to redirect the user to that location [1]. This is a security misconfiguration that allows untrusted input to control the redirect target.

Exploitation

An attacker crafts a malicious link pointing to http:///omk/open-audit/login?redirect_url=http://attacker.com or a data: URI with base64-encoded JavaScript. No authentication is required. The victim must click the link or be tricked into visiting it. The blog post demonstrates a proof-of-concept using data:text/html;base64,PHNjcmlwdD5hbGVydCgnQk9PTScpPC9zY3JpcHQ+ to execute an alert [1].

Impact

Successful exploitation results in an open redirect, which can be used for phishing attacks to steal credentials. Additionally, the data: URI payload enables reflected cross-site scripting (XSS), allowing arbitrary JavaScript execution in the victim's browser within the application's context. This can lead to session hijacking, data theft, or further compromise [1].

Mitigation

No official fix has been disclosed in the available references. Users of Open-AudIT Professional 2.1 should consider restricting access to the /login endpoint or implementing input validation for the redirect_url parameter to only allow trusted URLs. Upgrading to a patched version, if available, is recommended.