Vulnerable Vectors In PHP Based Redirection Pages [redirect.php4/redirect.php5] .


zeroknock [at] secniche.org


For Education Purposes Only!


Talk about Vulnerability Vector.

The talk regarding this issue is really necessary.I have came across a definite vulnerability in PHP based redirection pages.This makes number of websites vulnerable.The vector rises in the redirect.php4 / redirect.php5 web pages.The websites using this type of web pages are mostly vulnerable to redirection parameter injection.No doubt the error is in the desinging code.I have enumerated number of websites through google hacking and found most of the websites vulnerable.The exact issue

		This is a design Flaw . Already reported to number of websiets.
		
		It is possible for an attacker to inject url parameter at the end with the target to which
	       	the page gets redirected.
	       
	       Example : http://www.example.com/redirect.php4?id=[] 
	       		 http://www.example.com/redirect.php5?id=[] 
	       		 
	       Exploited URL : http://www.example.com/redirect.php4?url=[target name]
	       		       http://www.example.com/redirect.php5?url=[target name] 
	       		       
	       As this issue have been noticed by the websites , so most of them have corrected things in the
	       underlined way:
	       
	       1. Most websites redirected error to the index page.
	       2. Object not found page error displayed.
	       3. PHPSESSIONID is used for session checking.
	       4. Incorrect Redirection.
	       
	       I Think It Has To Be Discussed
	       
	       Example:Recently SAPinfo website removed this vulnerability.
	       
	       Remember this analysis is based on redirect pages that are traversed by search engines.Think
	       what about those pages that are not searched.
I must say you should traverse websites through google hacking which throw lot of results regarding this aspect.If you start enumerating than you will find lot of websites vulnerable to this issue.Two type of infection occurs:

1. The web page is vulnerable to redirection attacks.
2. Due to injection of url parameter the websites throw error which results in lot of information disclosure.It looks like to be injection layout.

Here I am showing some of the vulnerable vectors due to this issue.


[Error Type:A]



[Error Type:B]



[Error Type:C]



[Error Type:D]



Here are some of the redirected links to prove the concept.
	 Generic Link : http://www.suchbiene.de/redirect.php4?id=487
	 Exploited Link :http://www.suchbiene.de/redirect.php4?url=http://www.google.com
	 
	 
	 Generic Link : http://www.ptadsrv.de/srv/link/redirect.php4?k=1415
	 Exploited Link :http://www.ptadsrv.de/srv/link/redirect.php4?url=http://www.google.com
	 
	 
	 Generic Link : http://www.vulkanland.at/redirect.php5?typID=6 
	 Exploited Link :http://www.vulkanland.at/redirect.php5?url=http://www.google.com
	 
	 
	 Generic Link : http://www.scc.co.at/~kuehwi/projects/vulkanland/redirect.php5?typID=9
	 Exploited Link :http://www.scc.co.at/~kuehwi/projects/vulkanland/redirect.php5?url=http://www.google.com
This is an critical issue that needs attention.

The Analysis is All done!