Exploit Title: OpenX Open Redirect Vulnerability
Product: OpenX
Vendor:  OpenX
Vulnerable Versions: 2.8.10 and probably prior
Tested Version: 2.8.10
Advisory Publication: OCT 8, 2014
Latest Update:  OCT 8, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVE Reference: CVE-2014-2230
Risk Level: Low
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Solution Available
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]







Vulnerability Details:

OpenX adclick.php, ck.php, vulnerable to Open Redirect attacks.

Source code of adclick.php:
$destination = MAX_querystringGetDestinationUrl($adId[0]);
MAX_redirect($destination);

The "MAX_redirect" function is bellow,
function MAX_redirect($url)
{
if (!preg_match('/^(?:javascript|data):/i', $url)) {
header('Location: '.$url);
MAX_sendStatusCode(302);
}

The header() function sends a raw HTTP header to a client without any
checking of the "$dest" parameter at all.


(1) For "adclick.php", the vulnerability occurs with "&dest" parameter.


(2) For "ck.php", it uses "adclick.php" file. the vulnerability occurs with
"_maxdest" parameter.








Solutions:
2014-10-12 Public disclosure with self-written patch.


References:
https://github.com/kriwil/OpenX/blob/master/www/index.php
http://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability/
http://www.openx.com
http://cwe.mitre.org
http://cve.mitre.org/