Author Topic: OpenRedirect?  (Read 67 times)

elomaran

  • SMF4Mobile Customer
  • *
  • Posts: 9
  • Karma: 0
OpenRedirect?
« on: May 04, 2020, 06:48:02 pm »
I purchased smf4mobile in 2014 and have used it ever since for my forum. However, today I had to uninstall it after learning that the redirect from the standard to the mobile site (or vice versa) could be exploited to redirect to any other website, and was used by spammers in e-mails to mask the real goal they were redirecting their victims to.

Though my domain was used without my knowledge, and the spam not sent through my server but through a hacked server in Vietnam, my host threatened to shut down my server if I didn't take measures to prevent further missuse of my domain. A friend who's an IT security specialist pinpointed the smf4mobile script as the culprit, and after uninstalling, the openredirect was indeed no longer possible.

My forum, however, needs a mobile skin, and in the six year since first purchasing the script, there have been several updates to it. If I purchase it now, is the openredirect still in it, or has the redirect between standard and mobile since been solved in another way?

Thanks for the info!

vbgamer45

  • Administrator
  • *****
  • Posts: 177
  • Karma: 3
Re: OpenRedirect?
« Reply #1 on: May 04, 2020, 06:56:52 pm »
Yes, the fix for redirect was fixed after I took over the development of the mod back in 2017 I believe.

elomaran

  • SMF4Mobile Customer
  • *
  • Posts: 9
  • Karma: 0
Re: OpenRedirect?
« Reply #2 on: May 04, 2020, 07:43:52 pm »
Thanks for the fast reply! I'll make my purchase then.

elomaran

  • SMF4Mobile Customer
  • *
  • Posts: 9
  • Karma: 0
Re: OpenRedirect?
« Reply #3 on: May 11, 2020, 06:49:02 pm »
Yes, the fix for redirect was fixed after I took over the development of the mod back in 2017 I believe.
After installing the 2.5 version of the theme and 2.04 of the mod, I found out that the redirect link could still be exploited by spammers. The OpenRedirect turned out to be still open. My IT friend looked through the code and found the culprit in one of the changes the mod makes to the load.php.


Changing
Code: [Select]
                 if (isset($_REQUEST['redirect']))
                         redirectexit(urldecode($_REQUEST['redirect']));

to
Code: [Select]
                if (isset($_REQUEST['redirect']))
                        redirectexit($baseurl);

fixed the vulnerability, and the link used by the spammers (and the testlink my friend set up to redirect to his webspace) finally doesn't work any longer.

vbgamer45

  • Administrator
  • *****
  • Posts: 177
  • Karma: 3
Re: OpenRedirect?
« Reply #4 on: May 11, 2020, 07:04:35 pm »
That shouldn't have been the case I checked the mod and code uses the following now
Code: [Select]
if (isset($_REQUEST['redirect']))
{
global $boardurl;
if (substr_count(urldecode($_REQUEST['redirect']),$boardurl) == 0)
fatal_error("Unable to redirect",false);
else
redirectexit(urldecode($_REQUEST['redirect']));
}

elomaran

  • SMF4Mobile Customer
  • *
  • Posts: 9
  • Karma: 0
Re: OpenRedirect?
« Reply #5 on: May 11, 2020, 07:20:38 pm »
That's the version I installed, yes (just double checked the install file). The redirect could still be taken (by a spider, most likely) and altered to redirect to another website (Russian spam, in my case).

When I commented this part out:
Code: [Select]
        if (isset($_REQUEST['thememode']))
        {
                $_SESSION['id_theme'] = 0;

                if ($_REQUEST['thememode'] == 'full')
                        setcookie('smf4m_mode', 'full', time() + (86400
                * 60)); else
                        setcookie('smf4m_mode', 'mobile', time() +
                (86400 * 60));

                if (isset($_REQUEST['redirect']))
                        redirectexit(urldecode($_REQUEST['redirect']));
        }
the redirect stopped working, but then the page had to be manually refreshed after switching the theme.  So we changed the last line to
Code: [Select]
redirectexit($baseurl);

to have a working mod that didn't allow the forum to redirect to Russian spam websites. I only know very little php, so I had to rely on my friend, who called this fix "ugly, but it should work"

vbgamer45

  • Administrator
  • *****
  • Posts: 177
  • Karma: 3
Re: OpenRedirect?
« Reply #6 on: May 12, 2020, 02:42:38 pm »
$baseurl is not in the normal mod by default. I would like to see how that is defined.
Yes, a spider can still see the url. .But, I could add code in the template to hide the link from major spiders.