AcyMailing < 7.5.0 – Open Redirect | CVE 2021-24288

Description

When subscribing using AcyMailing, the "redirect" parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.

Proof of Concept

When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully go through with the subscription. Any redirection configuration(s) will not be applied, i.e. the landing page can be changed at will. The email though must be unique for each try.

http://example.com/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email]=example@mail.com&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://example.com&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym

Will redirect to example.com. You can change the redirect value to any webpage.