Exploit Title: OpenX Open Redirect Vulnerability Product: OpenX Vendor: OpenX Vulnerable Versions: 2.8.10 and probably prior Tested Version: 2.8.10 Advisory Publication: OCT 8, 2014 Latest Update: OCT 8, 2014 Vulnerability Type: Open Redirect [CWE-601] CVE Reference: CVE-2014-2230 Risk Level: Low CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) Solution Status: Solution Available Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore] Vulnerability Details: OpenX adclick.php, ck.php, vulnerable to Open Redirect attacks. Source code of adclick.php: $destination = MAX_querystringGetDestinationUrl($adId[0]); MAX_redirect($destination); The "MAX_redirect" function is bellow, function MAX_redirect($url) { if (!preg_match('/^(?:javascript|data):/i', $url)) { header('Location: '.$url); MAX_sendStatusCode(302); } The header() function sends a raw HTTP header to a client without any checking of the "$dest" parameter at all. (1) For "adclick.php", the vulnerability occurs with "&dest" parameter. (2) For "ck.php", it uses "adclick.php" file. the vulnerability occurs with "_maxdest" parameter. Solutions: 2014-10-12 Public disclosure with self-written patch. References: https://github.com/kriwil/OpenX/blob/master/www/index.php http://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability/ http://www.openx.com http://cwe.mitre.org http://cve.mitre.org/