KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

KnowledgeTree OSS 3.0.3b Reflected XSS (Cross-site Scripting) Web Application 0-Day Security Bug

 

Exploit Title: KnowledgeTree login.php &errorMessage parameter Reflected XSS Web Security Vulnerability

Product: Knowledge Tree Document Management System

Vendor: Knowledge Inc

Vulnerable Versions: OSS 3.0.3b

Tested Version: OSS 3.0.3b

Advisory Publication: August 22, 2015

Latest Update: August 31, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference:

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

knowledge_tree_page

 

 

knowledge tree_xss

 

 

 

 

Caution Details:

 

(1) Vendor & Product Description:

Vendor:

KnowledgeTree

 

Product & Vulnerable Versions:

Knowledge Tree Document Management System

OSS 3.0.3b

 

Vendor URL & Download:

Product can be obtained from here,
http://download.cnet.com/KnowledgeTree-Document-Management-System/3000-10743_4-10632972.html
http://www.knowledgetree.com/

 

Product Introduction Overview:

“KnowledgeTree is open source document management software designed for business people to use and install. Seamlessly connect people, ideas, and processes to satisfy all your collaboration, compliance, and business process requirements. KnowledgeTree works with Microsoft® Office®, Microsoft® Windows® and Linux®.”

 

 

 

 

(2) Vulnerability Details:

KnowledgeTree web application has a computer security problem. Hackers can exploit it by reflected XSS cyber attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. KnowledgeTree has patched some of them. “Bugtraq is an electronic mailing list dedicated to issues about computer security. On-topic issues are new discussions about vulnerabilities, vendor security-related announcements, methods of exploitation, and how to fix them. It is a high-volume mailing list, and almost all new vulnerabilities are discussed there.”. It has listed similar exploits, such as Bugtraq (Security Focus) 32920.

 

(2.1) The code flaw occurs at “&errorMessage” parameter in “login.php” page.

One similar bug is CVE-2008-5858. Its X-Force ID is 47529.

 

 

 

 

 

References:
http://seclists.org/oss-sec/2015/q3/458
http://tetraph.com/security/xss-vulnerability/knowledgetree-oss-3-0-3b-reflected-xss/
https://progressive-comp.com/?l=oss-security&m=144094021709472
https://infoswift.wordpress.com/2015/08/31/knowledge-tree-xss/
http://japanbroad.blogspot.jp/2015/08/knowledge-tree-bug-exploit.html
http://marc.info/?l=full-disclosure&m=144099659719456&w=4
http://tetraph.blog.163.com/blog/static/234603051201573144123156/
http://www.openwall.com/lists/oss-security/2015/08/30/2
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02446.html
http://itinfotech.tumblr.com/post/128016383831/knowledge-tree-xss
http://germancast.blogspot.com/2015/08/knowledge-tree-xss.html
http://permalink.gmane.org/gmane.comp.security.oss.general/17655
http://webtech.lofter.com/post/1cd3e0d3_806e1d4


 

Advertisements

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

netcat_4

 

OSVDB 120807 NetCat CMS 3.12 HTML Injection Web Security Vulnerabilities

 

Exploit Title: NetCat CMS 3.12 /catalog/search.php? q Parameter HTML Injection Web Security Vulnerabilities

Product: NetCat CMS (Content Management System)

Vendor: NetCat

Vulnerable Versions: 3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

Tested Version: 3.12

Advisory Publication: April 15, 2015

Latest Update: April 15, 2015

Vulnerability Type: Improper Input Validation [CWE-20]

CVE Reference: *

OSVDB Reference: 120807

CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification

Discover and Reporter: Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

 

 

 



Advisory Details:



(1) Vendor & Product Description:


Vendor:

NetCat

 

Product & Vulnerable Version:

NetCat

3.12 3.0 2.4 2.3 2.2 2.1 2.0 1.1

 

Vendor URL & Download:

NetCat can be downloaded from here,

http://netcat.ru/

 

Product Introduction Overview:

NetCat.ru is russian local company. “NetCat designed to create an absolute majority of the types of sites: from simple “business card” with a minimum content to complex web-based systems, from corporate offices to online stores, libraries or media data – in other words, projects completely different directions and at any level of complexity. View examples of sites running on NetCat CMS can be in a special section.”

“Manage the site on the basis of NetCat can even inexperienced user, because it does not require knowledge of Internet technologies, programming and markup languages. NetCat constantly improving, adds new features. In the process of finalizing necessarily take into account the wishes of our partners and clients, as well as trends in Internet development. More than 2,000 studios and private web developers have chosen for their projects is NetCat, and in 2013 sites, successfully working on our CMS, created more than 18,000.”

 

 

 

(2) Vulnerability Details:

NetCat web application has a computer security bug problem. It can be exploited by HTML Injection attacks. Hypertext Markup Language (HTML) injection, also sometimes referred to as virtual defacement, is an attack on a user made possible by an injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply valid HTML, typically via a parameter value, and inject their own content into the page. This attack is typically used in conjunction with some form of social engineering, as the attack is exploiting a code-based vulnerability and a user’s trust.

Several NetCat products 0-day vulnerabilities have been found by some other bug hunter researchers before. NetCat has patched some of them. Web Security Watch is an aggregator of security reports coming from various sources. It aims to provide a single point of tracking for all publicly disclosed security issues that matter. “Its unique tagging system enables you to see a relevant set of tags associated with each security alert for a quick overview of the affected products. What’s more, you can now subscribe to an RSS feed containing the specific tags that you are interested in – you will then only receive alerts related to those tags.” It has published suggestions, advisories, solutions details related to cyber security vulnerabilities.

 

(2.1) The programming code flaw occurs at “/catalog/search.php?” page with “&q” parameter.

 

 

 

 

Related Articles:
http://www.osvdb.org/show/osvdb/120807
http://seclists.org/fulldisclosure/2015/Apr/37
http://lists.openwall.net/full-disclosure/2015/04/15/3
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1843
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01922.html
http://cxsecurity.com/search/author/DESC/AND/FIND/1/10/Wang+Jing/
https://progressive-comp.com/?l=full-disclosure&m=142907520526783&w=1
http://tetraph.com/security/html-injection/netcat-cms-3-12-html-injection/
http://whitehatpost.blog.163.com/blog/static/242232054201551434123334/
http://russiapost.blogspot.ru/2015/06/netcat-html-injection.html
https://inzeed.wordpress.com/2015/04/21/netcat-html-injection/
http://computerobsess.blogspot.com/2015/06/osvdb-120807.html
http://blog.163.com/greensun_2006/blog/static/11122112201551434045926/
http://www.inzeed.com/kaleidoscope/computer-web-security/netcat-cms-3-12-html/
http://germancast.blogspot.de/2015/06/netcat-html-injection.html
http://diebiyi.com/articles/security/netcat-cms-3-12-html-injection/

 

 

 

CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

cit_e_net
 

CVE-2014-8753 Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Exploit Title: Cit-e-Net Multiple XSS (Cross-Site Scripting) Web Security Vulnerabilities

Product: Cit-e-Access

Vendor: Cit-e-Net

Vulnerable Versions: Version 6

Tested Version: Version 6

Advisory Publication: February 12, 2015

Latest Update: June 01, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2014-8753

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Discover and Author: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

Instruction Details:

(1) Vendor & Product Description:




Vendor:

Cit-e-Net

 

 

Product & Version:

Cit-e-Access

Version 6

 

 

Vendor URL & Download:

Cit-e-Net can be downloaded from here,

 

 

Product Introduction:

“We are a premier provider of Internet-based solutions encompassing web site development and modular interactive e-government applications which bring local government, residents and community businesses together.

Cit-e-Net provides a suite of on-line interactive services to counties, municipalities, and other government agencies, that they in turn can offer to their constituents. The municipal government achieves a greater degree of efficiency and timeliness in conducting the daily operations of government, while residents receive improved and easier access to city hall through the on-line access to government services.


Our web-based applications can help your municipality to acheive its e-government goals. Type & click website content-management empowers the municipality to manage the website quickly and easily. Web page styles & formats are customizable by the municipality, and because the foundation is a database application, user security can be set for individual personnel and module applications. Our application modules can either be integrated into your existing municipal web site or implemented as a complete web site solution. It’s your choice! Please contact us at info@cit-e.net to view a demonstration of our municipal web site solution if you are an elected official or member of municipal management and your municipality is looking for a cost efficient method for enhancing & improving municipal services.


Interactive Applications

Online Service Requests

Online Tax Payments by ACH electronic-check or credit card.

Online Utility Payments by ACH electronic-check or credit card.

Online General-Payments by ACH electronic-check or credit card.

Submit Volunteer Resume’s Online for the municipality to match your skills with available openings.”

 

 

 

(2) Vulnerability Details:

Cit-e-Access web application has a security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

Several similar products 0Day vulnerabilities have been found by some other bug hunter researchers before. Cit-i-Access has patched some of them. Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals. It has published suggestions, advisories, solutions details related to important vulnerabilities.

 

 

(2.1) The first programming code flaw occurs at “/eventscalendar/index.cfm?” page with “&DID” parameter in HTTP GET.

(2.2) The second programming code flaw occurs at “/search/index.cfm?” page with “&keyword” parameter in HTTP POST.

(2.3) The third programming code flaw occurs at “/news/index.cfm” page with “&jump2” “&DID” parameter in HTTP GET.

(2.4) The fourth programming code flaw occurs at “eventscalendar?” page with “&TPID” parameter in HTTP GET.

(2.5) The fifth programming code flaw occurs at “/meetings/index.cfm?” page with “&DID” parameter in HTTP GET.

 

 

 

 

(3) Solutions:

Leave message to vendor. No response.
http://www.cit-e.net/contact.cfm

 

 

 

 

 

References:
http://seclists.org/fulldisclosure/2015/Feb/48
http://lists.openwall.net/full-disclosure/2015/02/13/2
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1587
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01683.html
https://computerpitch.wordpress.com/2015/06/07/cve-2014-8753/
http://webtechhut.blogspot.com/2015/06/cve-2014-8753.html
https://www.facebook.com/websecuritiesnews/posts/804176613035844
https://twitter.com/tetraphibious/status/607381197077946368
http://biboying.lofter.com/post/1cc9f4f5_7356826
http://shellmantis.tumblr.com/post/120903342496/securitypost-cve-2014-8753
http://itprompt.blogspot.com/2015/06/cve-2014-8753.html
http://whitehatpost.blog.163.com/blog/static/24223205420155710559404/
https://plus.google.com/u/0/113115469311022848114/posts/FomMK9BGGx2
https://www.facebook.com/pcwebsecurities/posts/702290949916825
http://securitypost.tumblr.com/post/120903225352/cve-2014-8753-cit-e-net
http://webtech.lofter.com/post/1cd3e0d3_7355910
http://www.inzeed.com/kaleidoscope/cves/cve-2014-8753/
http://diebiyi.com/articles/security/cve-2014-8753/

 

 

 

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities

101770458-497953315.530x298

CVE-2015-2349 – SuperWebMailer 5.50.0.01160 XSS (Cross-site Scripting) Web Security Vulnerabilities



Exploit Title: CVE-2015-2349 – SuperWebMailer /defaultnewsletter.php” HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.*   4.*.0.*

Tested Version: 5.*.0.*   4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)








Information Details:



(1) Vendor & Product Description:



Vendor:

SuperWebMailer




Product & Vulnerable Versions:

SuperWebMailer

5.60.0.01190

5.50.0.01160

5.40.0.01145

5.30.0.01123

5.20.0.01113

5.10.0.00982

5.05.0.00970

5.02.0.00965

5.00.0.00962

4.50.0.00930

4.40.0.00917

4.31.0.00914

4.30.0.00907

4.20.0.00892

4.10.0.00875



Vendor URL & Download:

SuperWebMailer can be gained from here,

http://www.superwebmailer.de/




Product Introduction Overview:

“Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing.”


“To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm.”


“It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant”






(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. 



Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.


(2.1) The programming code flaw occurs at “&HTMLForm” parameter in “defaultnewsletter.php?” page.










Related Work:

http://seclists.org/fulldisclosure/2015/Mar/55

http://www.securityfocus.com/bid/73063

http://lists.openwall.net/full-disclosure/2015/03/07/3

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819

http://packetstormsecurity.com/files/131288/ECE-Projects-Cross-Site-Scripting.html

http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure&m=142551542201539&w=2

https://cxsecurity.com/issue/WLB-2015030043

http://aibiyi.lofter.com/post/1cc9f4e9_6edf9bf

http://tetraph.tumblr.com/post/118764414962/canghaixiao-cve-2015-2349-superwebmailer

http://canghaixiao.tumblr.com/post/118764381217/cve-2015-2349-superwebmailer-5-50-0-01160-xss

http://essaybeans.lofter.com/post/1cc77d20_6edf28c

https://www.facebook.com/essaybeans/posts/561250300683107

https://twitter.com/essayjeans/status/598021595974602752

https://www.facebook.com/pcwebsecurities/posts/687478118064775

http://tetraph.blog.163.com/blog/static/234603051201541231655569/

https://plus.google.com/112682696109623633489/posts/djqcrDw5dQp

http://essayjeans.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html

https://mathfas.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://www.tetraph.com/blog/xss-vulnerability/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

https://vulnerabilitypost.wordpress.com/2015/05/12/cve-2015-2349-superwebmailer-5-50-0-01160-xss/

http://aibiyi.blogspot.com/2015/05/cve-2015-2349-superwebmailer-550001160.html






CVE-2014-2230 – OpenX Dest Redirect Privilege Escalation Web Security Vulnerability

openx_1

 

CVE-2014-2230 – OpenX 2.8.10 Dest Redirect Privilege Escalation Web Security Vulnerability

 

Exploit Title: OpenX Dest Redirect Privilege Escalation Web Security Vulnerability

Product: OpenX

Vendor: OpenX

Vulnerable Versions: 2.8.10 and probably prior

Tested Version: 2.8.10

Advisory Publication: October 06, 2014

Latest Update: October 11, 2014

Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification

Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

 

Caution Details:

 

(1) Vendor & Product Description:

Vendor:

OpenX

 

Product & Vulnerable Versions:

OpenX

2.8.10

 

Vendor URL & Download:

Product can be obtained from here,

http://openx.com/

 

Product Introduction Overview:

OpenX is a real time advertising technology company. The company has developed an integrated technology platform that combines ad server and a real time bidding (RTB) exchange with yield optimization for advertising and digital media companies. OpenX’s Ad Exchange is not only one of the world’s largest programmatic digital advertising exchanges. It’s the best performing marketplace with the highest-quality, independently-rated inventory. Building it was no small feat, and we were only able to do it because we understand that publishers’ primary goal with advertising is to optimize monetization. That means maximizing revenue and control, and our solution helps you do both. The first step in any high-performance marketplace is creating demand. Our real time auctions give you maximum exposure to demand sources. All of the largest DSPs, networks and agency trading desks, plus the top advertisers, already purchase inventory on OpenX’s Ad Exchange. We connect you to a broad and deep selection of buyers, and you choose which ones can bid and which impressions they can win. Once you have interested buyers, you want to be able to showcase your inventory and command the best price. Our Ad Exchange supports a variety of formats and screens, letting you easily make all of your inventory available on one platform. We also make it easy for you to extract the full value out of each impression. You can set price floors and employ whitelist and blacklist features to avoid channel conflict and potential dilution of relationships with advertisers who buy direct. Furthermore, you can utilize our technology to manage your premium inventory through direct relationships with advertisers by leveraging preferred deals and private auctions.

According to Pixelate, OpenX Marketplace has the highest quality ad inventory in 2015, beating Google’s ad marketplace (Google Adx). OpenX integrations are widely distributed / long tail and currently sees the second most impressions on the internet, after Google. It’s new traffic quality platform for viewability and fraud detection technology has ability to leverage this position by seeing impressions earlier than existing ad verification / pre-bid solutions used by DSP and agency trading desks. (a) OpenX was ranked the 3rd fastest growing software company in North America with 44,075% growth in revenues from 2008 – 2012 by Deloitte’s Technology Fast 500. (b) According to a report from LeadLedger.com, OpenX has the second largest publisher adserver install base behind Google in 2013. (c) OpenX’s current products include the OpenX Exchange, Ad Server, and SSP (supply side platform) with Demand Fusion. (d) 96% of top 100 brand advertisers and 58% of comScore 100 publishers work with OpenX, conducting 250 billion monthly transactions with 12 billion daily bids from buyers. All major demand side platforms (DSP) including Rocketfuel, Criteo, Turn, MediaMath, Invite Media and Appnexus buy from OpenX ad exchange.

 

 

 

(2) Vulnerability Details:

OpenX web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (Open Redirect or URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. OpenX has patched some of them. The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here! It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.

 

Source code of adclick.php:

$destination = MAX_querystringGetDestinationUrl($adId[0]);

MAX_redirect($destination);

 

The “MAX_redirect” function is bellow,

function MAX_redirect($url)

{

if (!preg_match(‘/^(?:javascript|data):/i’, $url)) {

header(‘Location: ‘.$url);

MAX_sendStatusCode(302);

}

 

The header() function sends a raw HTTP header to a client without any checking of the “$dest” parameter at all.

 

 

 

(1) For “adclick.php”, the code programming flaw occurs with “&dest” parameter.

 

 

(2) For “ck.php”, it uses “adclick.php” file. the code programming flaw occurs with “_maxdest” parameter.

 

 

 

 

 

(3) Solutions:

2014-10-12 Public disclosure with self-written patch.

 

 

 

 

References:

https://webtechwire.wordpress.com/2014/12/09/cve-2014-2230-openx-dest-redirect-privilege-escalation-vulnerability/

http://tetraph.com/security/cves/cve-2014-2230-openx-open-redirect-vulnerability-2/

http://tetraph.blogspot.com/2014/10/cve-2014-2230-openx-dest-redirect.html

http://tetraph.blog.163.com/blog/static/23460305120141011328886/

http://www.inzeed.com/kaleidoscope/open-redirect/cve-2014-2230-openx-dest-redirect-privilege-escalation-vulnerability/

http://diebiyi.com/articles/security/cves/cve-2014-2230-openx-open-redirect-vulnerability-2/

https://hackertopic.wordpress.com/2014/12/12/cve-2014-2230-openx-dest-redirect-privilege-escalation-vulnerability/

https://www.facebook.com/essaybeans/posts/479120835562721

http://ithut.tumblr.com/post/104660020768/whitehatview-cve-2014-2230-openx-dest-redirect