############################################################
#
# Title    : Umbraco <= 4.7.1.1 Open Redirect Vulnerability
# Author   : P. de Brouwer - @knickz0r
#            NLSecurity    - www.nlsecurity.org
#                            info@nlsecurity.org
#
# Dork     : intitle:"Umbraco - login"
#            inurl:"/umbraco/umbraco.aspx"
#
# Software : Umbraco <= 4.7.1.1
#            http://umbraco.codeplex.com/releases/view/73692
#
# Vendor   : Umbraco
#            www.umbraco.com
#
# Date     : 2012-02-02
#
############################################################

+ -- --=[ 0x01 - Software description

Umbraco is a  fully-featured  open source content management
system with the flexibility to run anything from small camp-
aign or brochure sites right through to complex application-
s for Fortune  500's and  some of the largest media sites in
the world.

+ -- --=[ 0x02 - Vulnerability description

Due to improper handling of the 'redir' parameter it is pos-
ible to replace the default value  of '%2fumbraco%2f' with a
(malicious) URL. As  a result the  user visiting the created
URL, will be redirected to the value of the 'redir' paramet-
er.

+ -- --=[ 0x03 - Impact

The impact of this vulnerability should be considered a high
risk as  it is executed after a user has successfully logged
in. This would allow attackers to use client-side exploitat-
ion to gain access to the machine or credentials of the user
and perform malicious actions.

+ -- --=[ 0x04 - Affected versions

All versions up to 4.7.1.1 have been confirmed to be vulner-
able. The vendor has confirmed that this issue has been sol-
ved in version 4.7.1.2. Users of earlier versions are advis-
ed to update to version 4.7.1.2.

+ -- --=[ 0x05 - Vendor contact trail

2012-01-30 - Discovered vulnerability during a pen-test
2012-02-02 - Informed software vendor about vulnerability
2012-02-03 - Vendor confirmed vulnerability and issued a fix
2012-02-03 - Vulnerability details disclosed

+ -- --=[ 0x06 - Proof of Concept (PoC)

A proof of concept demonstrates the functionality of this v-
ulnerability and how it is (mis)used. Here is how an attack-
er could take advantage of this vulnerability:

The base of the URL would be as following:

  http://example.com/umbraco/

When visiting  this URL,  the victim  would be redirected to
the login page located at:

  http://example.com/umbraco/login.aspx?redir=%2fumbraco%2f
                                      ,--------------------
                                      '-> Optional

The 'redir' parameter would  redirect the victim back to the
Umbraco interface after successfully logging in. However, t-
he parameter is not validated by the application and thus a-
llows an attacker to place a URL as value of this parameter.

A maliciously crafted URL could look like the following:

  http://.../umbraco/login.aspx?redir=http://attacker.com/
                                     ,--------------------
                                     '-> Attackers' website

Then, when visited by the victim, after performing a succes-
ful login attempt, the victim would be redirected to the ma-
licious website of the attacker, in this case: attacker.com.

The attacker could then place drive-by malware on his websi-
te or mirror  a fake login  page to gather the login details
from the victim.