PHP Universal Web Messenger Cross-Domain Redirect

`http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-06  
  
  
PR10-06 Cross-domain redirect on PGP Universal Web Messenger  
Advisory publicly released: Thursday, 16 December 2010  
Vulnerability found: Wednesday, 10 February 2010  
Vendor informed: Wednesday, 10 February 2010  
Vulnerability fixed: Tuesday, 14 December 2010  
Severity level: Medium/High  
Credits  
Jan Fry of ProCheckUp Ltd (www.procheckup.com).  
Description  
A remote URI redirection vulnerability affects the PGP Universal Web  
Messenger. This issue is due to a failure of the application to properly  
sanitize URI-supplied data assigned to the 'retryURL' parameter.  
  
An attacker may leverage this issue to carry out convincing phishing  
attacks against unsuspecting users by causing an arbitrary page to be  
loaded once a PGP Universal Web Messenger specially-crafted URL is visited.  
  
Vulnerable server-side script: '/b/lnj.e?'  
  
Unfiltered parameter: 'retryURL'  
Proof of concept  
Example of specially-crafted URL:  
  
https://target-domain.foo/b/lnj.e?retryURL=//www.procheckup.com  
  
Consequences:  
  
Victim users can be redirected to third-party sites for the purpose of  
exploiting browser vulnerabilities or performing phishing attacks.  
How to fix  
The vendor has stated that this issue was addressed in the PGP Universal  
Web Messenger.  
References  
  
  
Legal  
Copyright 2010 Procheckup Ltd. All rights reserved.  
  
Permission is granted for copying and circulating this Bulletin to the  
Internet community  
for the purpose of alerting them to problems, if and only if, the  
Bulletin is not edited  
or changed in any way, is attributed to Procheckup, and provided such  
reproduction and/or  
distribution is performed for non-commercial purposes.  
  
  
Any other use of this information is prohibited. Procheckup is not  
liable for any misuse of this information by any third party.  
`