Microweber CMS is website builder and a powerful CMS. It's written in PHP and uses Drag-and-drop approach. It can be used to make any kind of website, online store, and blog. You can imagine how popular it can be!
The vulnerable part is the redirect handler that can redirect you to a malicious website, if the URL is constructed in a special way. It is a must-have security practice to forbid so called open redirects: website should be able to redirect to any page but under the same domain. Let's see how it can be exploited.
First, suppose you receive a specially-crafted email pretending to come from your bank and containing your new bank statement. In reality, this email was sent by a hacker that wants to steal you login and password from the Internet bank account. His goal is to trick you into clicking on a link in the message.
Second prerequisite - suppose you contain Microweber CMS opened and authenticated in one of your browser tabs. It may be even a background tab, it does not matter.
The link will contain something like this:
http://mydomain.com/test/microweber-master/logout?redirect_to=http://mytrustedbanc.com\@mydomain.com/
where mydomain.com is your legit domain of the CMS, and mytrustedbanc.com is a high quality replica of My Trusted Bank (note the "c" letter instead of "k" in URL, it's a common trick).
By clicking this link, the CMS will transparently redirect you to the fictitious bank website, where you will enter your login and password. Now they are in the hacker's hands.
The vulnerability is about improper parsing of this 'redirect_to' parameter. The fix is simple - add missing validation.
Useful Links