limdauto · August 18, 2013 12:39
diff --git a/redirector.php b/redirector.php
 <?php

 // Suppose attacker A cannot get a directory listing from MySite Inc. hidden JavaScript folders at http://mysite.com/hidden
 // However, a cloud service B which provides JS compressing service is used by MySite Inc and therefore has accessed
 // to the listing. Service B has a webpage called redirector.php which uses dynamic url input.
 // Attacker A can simply use this redirector to get to the listing by accessing
 // http://serviceb.com/reidrector.php?url=hidden

 $redirect_url = $_GET['url'];
 header("Location: http://mysite.com/" . $redirect_url);
 ?>
	<?php

	// Suppose attacker A cannot get a directory listing from MySite Inc. hidden JavaScript folders at http://mysite.com/hidden
	// However, a cloud service B which provides JS compressing service is used by MySite Inc and therefore has accessed
	// to the listing. Service B has a webpage called redirector.php which uses dynamic url input.
	// Attacker A can simply use this redirector to get to the listing by accessing
	// http://serviceb.com/reidrector.php?url=hidden

	$redirect_url = $_GET['url'];
	header("Location: http://mysite.com/" . $redirect_url);
	?>