OpenX 2.8.10 Open Redirect

2014.10.17
Credit: Wang Jing
Risk: Low
Local: No
Remote: Yes
CWE: CWE-601


Ogólna skala CVSS: 5.8/10
Znaczenie: 4.9/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Brak

Exploit Title: OpenX Open Redirect Vulnerability Product: OpenX Vendor: OpenX Vulnerable Versions: 2.8.10 and probably prior Tested Version: 2.8.10 Advisory Publication: OCT 8, 2014 Latest Update: OCT 8, 2014 Vulnerability Type: Open Redirect [CWE-601] CVE Reference: CVE-2014-2230 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Solution Available Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] Vulnerability Details: OpenX adclick.php, ck.php, vulnerable to Open Redirect attacks. Source code of adclick.php: $destination = MAX_querystringGetDestinationUrl($adId[0]); MAX_redirect($destination); The "MAX_redirect" function is bellow, function MAX_redirect($url) { if (!preg_match('/^(?:javascript|data):/i', $url)) { header('Location: '.$url); MAX_sendStatusCode(302); } The header() function sends a raw HTTP header to a client without any checking of the "$dest" parameter at all. (1) For "adclick.php", the vulnerability occurs with "&dest" parameter. (2) For "ck.php", it uses "adclick.php" file. the vulnerability occurs with "_maxdest" parameter. Solutions: 2014-10-12 Public disclosure with self-written patch. References: https://github.com/kriwil/OpenX/blob/master/www/index.php http://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability/ http://www.openx.com http://cwe.mitre.org http://cve.mitre.org/

Referencje:

https://github.com/kriwil/OpenX/blob/master/www/index.php
http://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability/
http://www.openx.com
http://cwe.mitre.org
http://cve.mitre.org/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top