AcyMailing < 7.5.0 - Open Redirect
Description
When subscribing using AcyMailing, the "redirect" parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.
Proof of Concept
When using acymailing to subscribe to a newsletter, you make a POST request with various parameters. Turning that to a GET request and adding the parameters as GET parameters, you can successfully go through with the subscription. Any redirection configuration(s) will not be applied, i.e. the landing page can be changed at will. The email though must be unique for each try. http://example.com/index.php?page=acymailing_front&ctrl=frontusers&noheader=1&user[email][email protected]&ctrl=frontusers&task=subscribe&option=acymailing&redirect=https://example.com&ajax=0&acy_source=widget%202&hiddenlists=1&acyformname=formAcym93841&acysubmode=widget_acym Will redirect to example.com. You can change the redirect value to any webpage.
Affects Plugins
Fixed in version 7.5.0✓
References
Classification
Miscellaneous
Original Researcher
Viktor Markopoulos
Submitter
Viktor Markopoulos
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-04-29 (about 1 months ago)
Added
2021-04-29 (about 1 months ago)
Last Updated
2021-05-01 (about 1 months ago)