URL Redirector Abuse in metinfo version <=5.3.17

There is URL Redirector Abuse in MetInfo through 5.3.17 via the gourl parameter to member/login.php.

Poc

view website and login

http://127.0.0.1/metinfo/member/login.php?gourl=http://baidu.com

it sync without any limit and can redirect any url.

it will redirect to baidu.com

> [Discoverer]
> lncken

Use CVE-2017-11718.

Reply