CVE-2014-8754 WordPress "Ad-Manager Plugin" Unvalidated Redirects and Forwards Web Security Vulnerability
Exploit Title: WordPress Ad-Manager Plugin Unvalidated Redirects and Forwards Vulnerability
Product: WordPress Ad-Manager Plugin
Vulnerable Versions: 1.1.2
Tested Version: 1.1.2
Advisory Publication: November 25, 2014
Latest Update: December 15, 2014
Vulnerability Type: URL Redirection to Untrusted Site [CWE-601]
CVE Reference: CVE-2014-8754
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modificationWriter and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)
(1) Vendor & Product Description:
Product & Vulnerable Versions:
WordPress Ad-Manager Plugin
Vendor URL & Download:
Product can be obtained from here,
Product Introduction Overview:
"Wordpress Ad-Manager offers you a simple solution to implement advertising into your posts, your blog or any other Wordpress page. You can use pictures and images or HTML snippets like Google AdSense to incorporate advertising in an easy way. You are able to select ads via Ad Zones, to re-size them or to limit the height or the width. Wordpress Ad-Manager also offers statistics for the site admin. However, Wordpress Ad-Manager’s best feature is its simplicity. It’s easy to set up and also comes with a widget. What more could one want?"
(2) Vulnerability Details:
Ad-Manager Plugin web application has a computer cyber security problem. Hacker can exploit it by Unvalidated Redirects and Forwards (URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.
Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. Ad-Manager Plugin has patched some of them. The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here! It also publishs suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.
(2.1) The Dest Redirect Privilege Escalation code flaw occurs at "track-click.php" page with "&out" parameter.