[FD] Open redirect vulnerability in StageShow Wordpress plugin v5.0.8

[Nitin Venkatesh <venkatesh.nitin@xxxxxxxxx>]

# Title: Open redirect vulnerability in StageShow Wordpress plugin v5.0.8
# Submitter: Nitin Venkatesh
# Product: StageShow Wordpress Plugin
# Product URL: https://wordpress.org/plugins/stageshow
# Vulnerability Type: URL Redirection to Untrusted Site ('Open Redirect')
[CWE-601]
# Affected Versions: v5.0.8 and possibly below
# Tested Version: v5.0.8
# Fixed Version: v5.0.9
# Link to source code diff:
https://plugins.trac.wordpress.org/changeset/1165310
# Link to changelog: https://wordpress.org/plugins/stageshow/changelog/
# CVE Status: None/Unassigned/Fresh

## Product Information

StageShow adds the facility for an online Box-Office for Small
Theatres/Drama Groups, records sales, validates tickets and provides sales
downloads.

## Vulnerability Description

Open redirect vulnerability in stageshow_redirect.php file using url
parameter

## Vulnerable Source Code

31 $url = urldecode($_GET['url']);
..
34 Redirect($url, true);
35
36 function Redirect($url, $permanent = false)
37 {
38    header('Location: ' . $url, true, $permanent ? 301 : 302);
39    die;
40 }

## Proof of Concept

Sample exploit GET request:

GET
/wp-content/plugins/stageshow/stageshow_redirect.php?url=http%3A%2F%2F2buntu.com

## Solution:

Upgrade to v5.0.9

## Disclosure Timeline:

2015-05-19 - Discovered. Contacted developer on forums
2015-05-20 - Report mailed to developer
2015-05-21 - Update v5.0.9 released
2015-07-05 - Publishing disclosure to FD mailing list

## Disclaimer:

This disclosure is purely meant for educational purposes. I will in no way
be responsible as to how the information in this disclosure is used.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/