I-net – Clear Reports – Version 20.10.136 – Open Redirect.
The I-net Clear Reports web application accepts a user-controlled input that specifies a link to an external site, and uses the user supplied data in a redirect. This can aid an attacker when creating phishing attacks.
The latest version of Clear Reports with a default configuration was installed on the latest ubuntu release. When attempting to authenticate to the application using the master password the ‘RequestPage’ URL parameter was detected, this type of parameter Is commonly vulnerable to an open redirect; whereby a malicious attacker can utilise the legitimate application to redirect a user to a phishing page.
The above displays what would be expected pre-authentication, it is now possible to modify the value of the ‘RequestPage’ URL parameter to point to our malicious phishing page, in this case the https://ecsc.co.uk website is used for proof of concept.
After modification (Figure 2) it is possible to see that no change has been made to the application, valid credentials are now sent to the application, creating the following request:
Post authentication the application will now redirect the user to the target site specified within the application URL parameter, utilising the legitimate application URL for our phishing campaign.