http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-06


PR10-06 Cross-domain redirect on PGP Universal Web Messenger
Advisory publicly released: Thursday, 16 December 2010
Vulnerability found: Wednesday, 10 February 2010
Vendor informed: Wednesday, 10 February 2010
Vulnerability fixed: Tuesday, 14 December 2010
Severity level: Medium/High
Credits
Jan Fry of ProCheckUp Ltd (www.procheckup.com).
Description
A remote URI redirection vulnerability affects the PGP Universal Web
Messenger. This issue is due to a failure of the application to properly
sanitize URI-supplied data assigned to the 'retryURL' parameter.

An attacker may leverage this issue to carry out convincing phishing
attacks against unsuspecting users by causing an arbitrary page to be
loaded once a PGP Universal Web Messenger specially-crafted URL is visited.

Vulnerable server-side script: '/b/lnj.e?'

Unfiltered parameter: 'retryURL'
Proof of concept
Example of specially-crafted URL:

https://target-domain.foo/b/lnj.e?retryURL=//www.procheckup.com

Consequences:

Victim users can be redirected to third-party sites for the purpose of
exploiting browser vulnerabilities or performing phishing attacks.
How to fix
The vendor has stated that this issue was addressed in the PGP Universal
Web Messenger.
References


Legal
Copyright 2010 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the
Internet community
for the purpose of alerting them to problems, if and only if, the
Bulletin is not edited
or changed in any way, is attributed to Procheckup, and provided such
reproduction and/or
distribution is performed for non-commercial purposes.


Any other use of this information is prohibited. Procheckup is not
liable for any misuse of this information by any third party.