Open Redirection vulnerability identified on BlogEngine.NET CMS (version 3.3.8.0 and earlier)

If a GET request to default.aspx page contains "years=" within the URL, the application calls a function named "Redirect".

This function sets several parameters including year, month, date, page and rewrite. Though the date parameter was parsed using the DateTime object, month and year parameters are not getting validated and are being used to construct the rewrite parameter.

Furthermore, the write and page parameters are getting appended and are being used to redirect the user using HTTP headers.

Since, they were not sanitized, encoded or validated, an attacker can leverage this flaw to redirect the users to an attacker controlled-URL.