Bellow you may find description of a vulnerability I found in Babel - a CMSMS module - when searching for sites affected by Open Redirection vulnerabilities (writeup on the research in Czech may be found here). Further discussion of this vulnerability be found here.
Affected Software: Babel: Multilingual Site module for CMS Made Simple
Affected Version: 0.4.1 and earlier
Patched Version: None - project is no longer under development
CVE Identifier: CVE-2019-1010290
Vulnerability type: CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
Severity Rating: CVSS v3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
The Babel multi-language module for CMSMS contains an open redirection vulnerability in a script within the redirect.php file. The script takes an argument specifying a URL to which a browser should be redirected. This URL may be completely arbitrary. It is therefore possible to craft a link to a Babel-enabled site which causes redirection to any URL specified, even outside the originating domain. This is especially useful for phishing attacks, when attacker creates a link to a safe site, which, without the knowledge of a user, redirects him or her to a fake/malicious site. All CMSMS sites with Babel module installed are affected, since redirect.php is always publically accessible.
The Babel module provides CMSMS sites with the capacity to easily switch between multiple translations of web page content. Desired translation may be chosen by sending a GET request to vulnerable.site/modules/babel/redirect.php. Under normal conditions, this PHP script takes two arguments - “newlang” and “newurl”. The first argument sets the desired language for the translation and the second one sets URL which should be displayed in selected language. A non-working example of what the URL might look like is:
The vulnerability is caused by the absence of any filtering when the parameter “newurl” is processed (the parametr “newlang” is - for our purposes - optional and may be omitted).
Removal of the Babel module from any affected site.
Developer Contacted: 2. 2. 2019
Developer Responded: 11. 2. 2019 (project abandoned, no new versions are to be expected)
Disclosure to CSIRT network: 14. 2. 2019
Public Disclosure: 20. 2. 2019