Astun Technology iShare Maps Open Redirect Vulnerability

An open redirect vulnerability has been identified in Astun Technology iShare Maps version 5.4.0. The issue arises in the file atCheckJS.aspx, where the ref parameter can be manipulated to redirect users to external websites. This vulnerability can be exploited remotely without authentication, although it requires user interaction. Once a redirect is performed, the same browser must be cleared of history or a different browser used to exploit the vulnerability again.

Impact

Exploitation of this vulnerability allows for open redirection, which can be used to conduct phishing attacks by redirecting users to malicious websites.

Reproduction

To reproduce this vulnerability, send a request to the atCheckJS.aspx endpoint with a ref parameter pointing to an external URL. The application will redirect the user to the specified URL. Note that the redirect can only be performed once per browser session unless the browser history is cleared or a different browser is used.