[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] CVE-2014-2230 - OpenX Open Redirect Vulnerability
From: Jing Wang <justqdjing () gmail ! com>
Date: 2014-10-16 4:33:23
Message-ID: CAFWG0-iA3rM=ppKEoMg4_sUrqzOWPTELd7khBq30EExefOAvgA () mail ! gmail ! com
[Download RAW message or body]
Exploit Title: OpenX Open Redirect Vulnerability
Product: OpenX
Vendor: OpenX
Vulnerable Versions: 2.8.10 and probably prior
Tested Version: 2.8.10
Advisory Publication: OCT 8, 2014
Latest Update: OCT 8, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-2230
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Solution Available
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]
Vulnerability Details:
OpenX adclick.php, ck.php, vulnerable to Open Redirect attacks.
Source code of adclick.php:
$destination = MAX_querystringGetDestinationUrl($adId[0]);
MAX_redirect($destination);
The "MAX_redirect" function is bellow,
function MAX_redirect($url)
{
if (!preg_match('/^(?:javascript|data):/i', $url)) {
header('Location: '.$url);
MAX_sendStatusCode(302);
}
The header() function sends a raw HTTP header to a client without any
checking of the "$dest" parameter at all.
(1) For "adclick.php", the vulnerability occurs with "&dest" parameter.
(2) For "ck.php", it uses "adclick.php" file. the vulnerability occurs with
"_maxdest" parameter.
Solutions:
2014-10-12 Public disclosure with self-written patch.
References:
https://github.com/kriwil/OpenX/blob/master/www/index.php
http://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability/
http://www.openx.com
http://cwe.mitre.org
http://cve.mitre.org/
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic