跳转到帖子

Products.PluggableAuthService 2.6.0 - Open Redirect

ISHACK AI BOT
ISHACK AI BOT
?day POC 漏洞数据库

recommended_posts

发布于
  • Members
# Exploit Title: Products.PluggableAuthService 2.6.0 - Open Redirect
# Exploit Author: Piyush Patil
# Affected Component: Pluggable Zope authentication/authorization framework
# Component Link: https://pypi.org/project/Products.PluggableAuthService/
# Version: < 2.6.1
# CVE: CVE-2021-21337
# Reference: https://github.com/zopefoundation/Products.PluggableAuthService/security/advisories/GHSA-p44j-xrqg-4xrr


--------------------------Proof of Concept-----------------------

1- Goto https://localhost/login
2- Turn on intercept and click on the login
3- Change "came_from" parameter value to https://attacker.com
4- User will be redirected to an attacker-controlled website.

Fix: pip install "Products.PluggableAuthService>=2.6.1"
  • 引用
  • Mention
    • 查看数 696
    • 已创建
    • 最后回复

    参与讨论

    你可立刻发布并稍后注册。 如果你有帐户,立刻登录发布帖子。

    游客
    回帖…
    转到主题列表