| Titre | zenvia movidesk < 25.01.15.86c796efe6 Open Redirect |
|---|
| Description | Vulnerability Report: Open Redirect in Movidesk Login System
Summary
An open redirect vulnerability has been identified in websites utilizing the Movidesk help desk system. The issue arises from improper validation of the ReturnUrl parameter in the login redirection mechanism. This vulnerability allows attackers to redirect authenticated users to malicious sites, posing significant security risks such as phishing and credential theft.
Affected Systems
The vulnerability is not limited to a single domain but affects any system using the Movidesk platform. A simple Google Dork query allowed us to identify multiple vulnerable domains, including but not limited to:
https://service.sigmatelecom.com.br/Account/Login?ReturnUrl=//google.com
https://atendimento.viasoft.com.br/Account/Login?ReturnUrl=//google.com
https://goldsystem.movidesk.com/Account/Login?ReturnUrl=//google.com
https://movidesk.consistem.com.br/Account/Login?ReturnUrl=//google.com
Vulnerability Details
Vulnerable Parameter: ReturnUrl
Issue: The system does not properly validate the provided ReturnUrl, allowing attackers to supply external URLs using a double slash (//). Upon successful login, the user is redirected to the specified external URL without any validation.
Example Exploitation:
Accessing the following URL:
https://service.sigmatelecom.com.br/Account/Login?ReturnUrl=//google.com
After logging in, the user is redirected to https://google.com, which could instead be a phishing or malicious site.
Security Impact
This vulnerability can lead to several critical security issues, including:
Phishing Attacks: Attackers can redirect users to fake login pages to steal credentials.
Malware Distribution: Users can be redirected to sites hosting malware or exploit kits.
Loss of Trust: The redirection can be exploited to impersonate legitimate organizations.
Steps to Reproduce
Visit any affected Movidesk login page with the manipulated URL, for example:
https://atendimento.viasoft.com.br/Account/Login?ReturnUrl=//google.com
Enter valid credentials and log in.
Observe that the system redirects the user to an external site without proper validation.
Recommendations
To mitigate this issue, it is recommended that Movidesk implement the following security measures:
Input Validation: Ensure that the ReturnUrl parameter allows redirection only to trusted internal URLs.
Allowlist Approach: Implement an allowlist of predefined, trusted domains to prevent open redirections.
Sanitization: Properly encode and sanitize URL inputs to eliminate scheme-based exploits (e.g., //).
References
OWASP Open Redirect Vulnerability
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CVSS Score (Estimated)
Based on the impact, the estimated CVSS v3.1 score is:
Base Score: 5.3 (Medium)
Attack Vector: Network (AV:N)
Attack Complexity: Low (AC:L)
Privileges Required: Low (PR:L)
User Interaction: Required (UI:R)
Scope: Unchanged (S:U)
Confidentiality Impact: Low (C:L)
Integrity Impact: Low (I:L)
Availability Impact: None (A:N) |
|---|
| La source | ⚠️ https://*.*.*.*/Account/Login?ReturnUrl=//google.com |
|---|
| Utilisateur | y4g0 (UID 80480) |
|---|
| Soumission | 20/01/2025 21:21 (il y a 1 Année) |
|---|
| Modérer | 02/02/2025 08:54 (12 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 294361 [Zenvia Movidesk jusqu’à 25.01.29.29c1a0aa07 /Account/Login ReturnUrl Yago Martins Redirect] |
|---|
| Points | 20 |
|---|