xian Posted February 26, 2015 Report Posted February 26, 2015 Steps to reproduce the vulnerability: Different kinds of ads are shown on one of sites and clicking on them redirect one to the respective website. But this redirection isn't properly sanitized and this link(s) are using for for redirecting to anysite(s) including phishing and spam site(s) which caused harm like redirecting to phishing login page. here I used ad.example.com Steps: 01. Clicking on any ad opens a new link For me it is http://ad.example.com/www/delivery/ck.php?oaparams=2__bannerid=14__zoneid=6__cb=1e354023f6__oadest=http://www.yahoo.com Here we see that ck.php has multiple parameter. 02. the last parameter for ck.php is "oadest=" (excluding the " ) 03. There in oadest parameter an URL is given. We can put any URL there and it will be redirect to thathttp://ad.example.com/www/delivery/ck.php?oaparams=2__bannerid=14__zoneid=6__cb=1e354023f6__oadest=http://www.google.com It redirect(s) to Google 04. Now I tried to see what happens if I remove oadest parameter. If I remove that the link is redirected to the correct sitehttp://ad.example.com/www/delivery/ck.php?oaparams=2__bannerid=14__zoneid=6__cb=1e354023f6 05. And then I tried what happens if the remove all the parameter except oadesthttp://ad.example.com/r/www/delivery/ck.php?oadest=http://www.google.com and it is redirecting to Google once again. 06. I think it can be more serious if we try with ../ it redirects to admin panelhttp://ad.example.com/www/delivery/ck.php?oadest=../? Now this vulnerability has been used to do phishing and spam attack saying that it is a link form corosponding website and it is trusted then it asking for login to a phishing site. Please provide us a fix of it ASAP. pkolze 1 Quote
Matteo Beccati Posted February 27, 2015 Report Posted February 27, 2015 Thanks for the report. It is a known issue, since many years actually. The problem is that the oadest parameter is required for certain functionalities to work, and to this day no solution has been found that allows it while making it safer. I have spent myself numerous hours on it but I couldn't come up with anything good enough. If you have a working solution, we'd be happy to review it and apply it. Quote
xian Posted March 13, 2015 Author Report Posted March 13, 2015 isnt it possible to obfuscate the whole link? like ADzerk? Quote
maxbaldin Posted April 8, 2015 Report Posted April 8, 2015 Thanks for the report. It is a known issue, since many years actually. The problem is that the oadest parameter is required for certain functionalities to work, and to this day no solution has been found that allows it while making it safer. I have spent myself numerous hours on it but I couldn't come up with anything good enough. If you have a working solution, we'd be happy to review it and apply it. Why not use CSRF token? Quote
Matteo Beccati Posted April 10, 2015 Report Posted April 10, 2015 Why not use CSRF token? I'm sorry, CSRF tokens have a very different purpose: session based, one-consumption-only tokens won't help for this use case. Quote
pkolze Posted May 8, 2015 Report Posted May 8, 2015 Hey, i could not find these bug on https://github.com/revive-adserver/revive-adserver/issues . Does anybody got a hint for me ? Is it possible to block these feature if its not used ? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.