CVE-2020-28150

I-net – Clear Reports – Version 20.10.136 – Open Redirect.

The I-net Clear Reports web application accepts a user-controlled input that specifies a link to an external site, and uses the user supplied data in a redirect. This can aid an attacker when creating phishing attacks.

The latest version of Clear Reports with a default configuration was installed on the latest ubuntu release. When attempting to authenticate to the application using the master password the ‘RequestPage’ URL parameter was detected, this type of parameter Is commonly vulnerable to an open redirect; whereby a malicious attacker can utilise the legitimate application to redirect a user to a phishing page.

Normal use of the application with an unmodified URL.

The above displays what would be expected pre-authentication, it is now possible to modify the value of the ‘RequestPage’ URL parameter to point to our malicious phishing page, in this case the https://ecsc.co.uk website is used for proof of concept.

The URL parameter has now been modified with the POC destination.

After modification (Figure 2) it is possible to see that no change has been made to the application, valid credentials are now sent to the application, creating the following request:

Burpsuite shows the request sent by the browser when authenticated.

Post authentication the application will now redirect the user to the target site specified within the application URL parameter, utilising the legitimate application URL for our phishing campaign.

Result of authenticating to the application with a modified URL parameter.
A fix has been implemented for this finding;
https://www.inetsoftware.de/support/news/i-net-pdfc-new-release-20.10