PbootCMS Open Redirect and Reflected Cross-Site Scripting Vulnerability

A vulnerability allowing open redirection and reflected cross-site scripting (XSS) has been identified in PbootCMS versions prior to 3.2.12. The issue arises in the MemberController.php file, specifically within the alert_location function of the Parameter Handler component. The vulnerability is triggered by manipulating the backurl parameter, which is used as a redirect target after login. This parameter is also inserted into the JavaScript output without proper encoding, enabling remote exploitation.

Impact

Exploitation of this vulnerability could lead to phishing attacks through redirection to malicious sites, execution of arbitrary JavaScript in the context of the victim's browser, and potential theft of session cookies, allowing for follow-up attacks.

Reproduction

The vulnerability can be reproduced by logging in and using a crafted backurl parameter. For open redirect, the backurl can be set to an external site, such as 'https://evil.example.com'. For reflected XSS, the backurl can be set to a JavaScript payload, such as a script that alerts the document cookie.

Remediation

To address this vulnerability, redirect targets should be restricted to relative internal paths or a strict allowlist. Additionally, context-aware output encoding should be applied for JavaScript outputs, and server-side redirects should be preferred over inline script generation.