New York Times Page Design XSS Vulnerability (Almost all Article Pages Before 2013 are Affected)






“The New York Times (NYT) is an American daily newspaper, founded and continuously published in New York City since September 18, 1851, by the New York Times Company. It has won 114 Pulitzer Prizes, more than any other news organization. The paper’s print version has the largest circulation of any metropolitan newspaper in the United States, and the second-largest circulation overall, behind The Wall Street Journal. It is ranked 39th in the world by circulation. Following industry trends, its weekday circulation has fallen to fewer than one million daily since 1990. Nicknamed for years as “The Gray Lady”, The New York Times is long regarded within the industry as a national “newspaper of record”. It is owned by The New York Times Company. Arthur Ochs Sulzberger, Jr., (whose family (Ochs-Sulzberger) has controlled the paper for five generations, since 1896), is both the paper’s publisher and the company’s chairman. Its international version, formerly the International Herald Tribune, is now called the International New York Times. The paper’s motto, “All the News That’s Fit to Print”, appears in the upper left-hand corner of the front page.” (Wikipedia)




(1) Vulnerability Description:

The New York Times has a computer cyber security problem. Hacker can exploit its users by XSS bugs.


The code program flaw occurs at New York Times’s URLs. Nytimes (short for New York Times) uses part of the URLs to construct its pages. However, it seems that Nytimes does not filter the content used for the construction at all before 2013.


Based on Nytimes’s Design, Almost all URLs before 2013 are affected (All pages of articles). In fact, all article pages that contain “PRINT” button, “SINGLE PAGE” button, “Page *” button, “NEXT PAGE” button are affected.


Nytimes changed this mechanism since 2013. It decodes the URLs sent to its server. This makes the mechanism much safer now.


However, all URLs before 2013 are still using the old mechanism. This means almost all article pages before 2013 are still vulnerable to XSS attacks. I guess the reason Nytimes does not filter URLs before is cost. It costs too much (money & human capital) to change the database of all posted articles before.










Living POCs Codes:’ “><img src=x onerror=prompt(/justqdjing/)>’ “><img src=x onerror=prompt(/justqdjing/)>?pagewanted=all&_r=0’ “><img src=x onerror=prompt(/justqdjing/)>’ “><img src=x onerror=prompt(/justqdjing/)>’ “><img src=x onerror=prompt(/justqdjing/)>’ “><img src=x onerror=prompt(/justqdjing/)>




(2) Vulnerability Analysis:
Take the following link as an example,“><vulnerabletoattack


It can see that for the page reflected, it contains the following codes. All of them are vulnerable.


<li class=”print”>

<a href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=print”>Print</testtesttest?pagewanted=print”></a>



<li class=”singlePage”>

<a href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><testtesttest?pagewanted=all”> Single Page</vulnerabletoattack?pagewanted=all”></a>



<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum2′);” title=”Page 2″ href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>2</testtesttest?pagewanted=2″></a>



<li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum3′);” title=”Page 3″ href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=3″>3</testtesttest?pagewanted=3″></a>



<a class=”next” onclick=”s_code_linktrack(‘Article-MultiPage-Next’);” title=”Next Page” href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>Next Page »</testtesttest?pagewanted=2″></a>





(3) What is XSS?

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.


“Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records. Cross-site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques Cross-site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.” (Acunetix)


The vulnerability can be attacked without user login. Tests were performed on Firefox (34.0) in Ubuntu (14.04) and IE (9.0.15) in Windows 8.




Discover and Reporter:
Jing Wang, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)





More Details:




CVE-2014-7292 Newtelligence dasBlog Dest Redirect Privilege Escalation Vulnerability

Exploit Title: Newtelligence dasBlog Dest Redirect Privilege Escalation Vulnerability
Product: dasBlog
Vendor:    Newtelligence
Vulnerable Versions: 2.3 (2.3.9074.18820) 2.2 (2.2.8279.16125) 2.1(2.1.8102.813)
Tested Version: 2.3 (2.3.9074.18820)
Advisory Publication: OCT 15, 2014
Latest Update:    OCT 15, 2014
Vulnerability Type: Open Redirect [CWE-601]
CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)
Impact Subscore: 4.9
Exploitability Subscore: 8.6
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]



Advisory Details:

Newtelligence dasBlog ct.ashx is vulnerable to Open Redirect attacks.

dasBlog supports a feature called Click-Through which basically tracks all links clicked inside your blog posts. It’s a nice feature that allows the blogger to stay informed what kind of content readers like. If Click-Through is turned on, all URLs inside blog entries will be replaced with /ct.ashx?id=&url= which of course breaks WebSnapr previews.

Web.config code:



(1) The vulnerability occurs at “ct.ashx?” page, with “&url” parameter,.




2014-10-15 Public disclosure with self-written patch.





CVE-2014-2230 – OpenX Dest Redirect Privilege Escalation Web Security Vulnerability



CVE-2014-2230 – OpenX 2.8.10 Dest Redirect Privilege Escalation Web Security Vulnerability


Exploit Title: OpenX Dest Redirect Privilege Escalation Web Security Vulnerability

Product: OpenX

Vendor: OpenX

Vulnerable Versions: 2.8.10 and probably prior

Tested Version: 2.8.10

Advisory Publication: October 06, 2014

Latest Update: October 11, 2014

Vulnerability Type: URL Redirection to Untrusted Site (‘Open Redirect’) [CWE-601]

CVE Reference: *

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 5.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:N) (legend)

Impact Subscore: 4.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification

Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)





Caution Details:


(1) Vendor & Product Description:




Product & Vulnerable Versions:




Vendor URL & Download:

Product can be obtained from here,


Product Introduction Overview:

OpenX is a real time advertising technology company. The company has developed an integrated technology platform that combines ad server and a real time bidding (RTB) exchange with yield optimization for advertising and digital media companies. OpenX’s Ad Exchange is not only one of the world’s largest programmatic digital advertising exchanges. It’s the best performing marketplace with the highest-quality, independently-rated inventory. Building it was no small feat, and we were only able to do it because we understand that publishers’ primary goal with advertising is to optimize monetization. That means maximizing revenue and control, and our solution helps you do both. The first step in any high-performance marketplace is creating demand. Our real time auctions give you maximum exposure to demand sources. All of the largest DSPs, networks and agency trading desks, plus the top advertisers, already purchase inventory on OpenX’s Ad Exchange. We connect you to a broad and deep selection of buyers, and you choose which ones can bid and which impressions they can win. Once you have interested buyers, you want to be able to showcase your inventory and command the best price. Our Ad Exchange supports a variety of formats and screens, letting you easily make all of your inventory available on one platform. We also make it easy for you to extract the full value out of each impression. You can set price floors and employ whitelist and blacklist features to avoid channel conflict and potential dilution of relationships with advertisers who buy direct. Furthermore, you can utilize our technology to manage your premium inventory through direct relationships with advertisers by leveraging preferred deals and private auctions.

According to Pixelate, OpenX Marketplace has the highest quality ad inventory in 2015, beating Google’s ad marketplace (Google Adx). OpenX integrations are widely distributed / long tail and currently sees the second most impressions on the internet, after Google. It’s new traffic quality platform for viewability and fraud detection technology has ability to leverage this position by seeing impressions earlier than existing ad verification / pre-bid solutions used by DSP and agency trading desks. (a) OpenX was ranked the 3rd fastest growing software company in North America with 44,075% growth in revenues from 2008 – 2012 by Deloitte’s Technology Fast 500. (b) According to a report from, OpenX has the second largest publisher adserver install base behind Google in 2013. (c) OpenX’s current products include the OpenX Exchange, Ad Server, and SSP (supply side platform) with Demand Fusion. (d) 96% of top 100 brand advertisers and 58% of comScore 100 publishers work with OpenX, conducting 250 billion monthly transactions with 12 billion daily bids from buyers. All major demand side platforms (DSP) including Rocketfuel, Criteo, Turn, MediaMath, Invite Media and Appnexus buy from OpenX ad exchange.




(2) Vulnerability Details:

OpenX web application has a computer cyber security bug problem. It can be exploited by Unvalidated Redirects and Forwards (Open Redirect or URL Redirection) attacks. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker’s choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.

Several other similar products 0-day vulnerabilities have been found by some other bug hunter researchers before. OpenX has patched some of them. The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here! It also publishes suggestions, advisories, solutions details related to Open Redirect vulnerabilities and cyber intelligence recommendations.


Source code of adclick.php:

$destination = MAX_querystringGetDestinationUrl($adId[0]);



The “MAX_redirect” function is bellow,

function MAX_redirect($url)


if (!preg_match(‘/^(?:javascript|data):/i’, $url)) {

header(‘Location: ‘.$url);




The header() function sends a raw HTTP header to a client without any checking of the “$dest” parameter at all.




(1) For “adclick.php”, the code programming flaw occurs with “&dest” parameter.



(2) For “ck.php”, it uses “adclick.php” file. the code programming flaw occurs with “_maxdest” parameter.






(3) Solutions:

2014-10-12 Public disclosure with self-written patch.