MailChimp’s Login, Olark, Kaneva Sign-in Page Open Redirect Vulnerability

MailChimp’s Login Page Open Redirect Vulnerability

From:
Poc Video:
The vulnerability exists at “http://login.mailchimp.com/?” page with “referrer” parameter, e.g.
http://login.mailchimp.com/?referrer=http://google.com [1]
When a user clicks the URL ([1]) before login, the MailChimp “login page” appears. The user needs to enter his/her username and password. When this is done, the user could be redirected to a webpage different from MailChimp.
My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(1) I will use the following tests to illustrate the scenario I painted above.
The redirected webpage address is “http://www.tetraph.com/essayjeans/poems/thatday.html”. It’s one of my webpages. We can suppose that this webpage is malicious.

Olark Open Redirect Vulnerability

The vulnerability can be attacked without user login. My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(1) I will use one of my webpages for the following tests. The webpage address is “http://www.tetraph.com/essaybeans/reflections/solitude.html“. We can suppose that this webpage is malicious.

Kaneva Sign-in Page Open Redirect Vulnerability

From: http://www.tetraph.com/blog/2014/04/kaneva-sign-page-open-redirect-vulnerability/

The vulnerability exists at “loginSecure.aspx” page with “logretURLNH” parameter, i.e.
http://www.kaneva.com/loginSecure.aspx?logretURLNH=http%3a%2f%2fmsn.com [1]
When unlogged victims click the URL ([1]) above, the Kaneva Sign-in page is displayed. The victims need to enter their username and password. After which, they will be redirected to a webpage different from Kaneva.
My tests were performed on Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.
(1) I will use the following tests to illustrate the scenario I painted above.
The redirected webpage address is “http://www.tetraph.com/essaybeans/street_artists/clark_quay.html“. It’s one of my webpages. We can suppose that this webpage is malicious.
Credit:
WANG Jing (王晶), a mathematics PhD student from Nanyang Technological University.
Nanyang Technological University & University of Science and Technology of China & No.1 Middle School of Jiaonan (Huangdao)
Advertisements