Huawei open-redirect vulnerability

Mar 26, '16
Author  : dn5
Blog    : http://dn5.ljuska.org
Date    : 28.04.2014.
E-mail  : dn5@dn5.ljuska.org
Twitter : @dn5__

Vulnerability No. #1

Huawei uniportal located under sub-domain http://uniportal.huawei.com/uniportal/ have open-redirect vulnerability in which application takes a parameter and redirects a user to the parameter value without any validation. This vulnerability can lead to medium-to-high risk phishing attacks. This vulnerability can lead to other bugs too. Vulnerability is reported to Huawei and is properly fixed.

PoC

To recreate this vulnerability login with your username & password @ huawei official login. Make sure to "Remember password", otherwise exploit is not always successful because of Huawei session. Now, everytime you visit this link[1] you will be redirected to http://example.com.You can change redirect parameter to coresponding website you want to redirect to. This vulnerability works out-of-box on whole /www/ scope. Be sure to check video at the end of proper PoC.

[1] https://uniportal.huawei.com/uniportal/?redirect=http://www.example.com/

Fix

Check if parameter redirect have value of unknown host and make sure to properly sanitize input of the parameter.

Video