Home > AXS Visitor Tracking > Help > 1515

Open redirect in ax.pl

Historically, the logging script ax.pl could be called with any URL as a parameter, and it would 1) log the visit and then 2) redirect the visitor to the final destination. This allowed for logging outbound links that visitors use to exit your website, as well as logging traffic to file downloads or PDFs.

The logging script ax.pl had no limits on the URLs to which it would redirect, allowing it to "just work" without pre-configuration on any website with any URL. As such, it operated as an "open redirect".

In 2015, some users were notified that the ax.pl open redirect was a security vulnerability (via automated website analysis tools). Fluid Dynamics believes that this is not an exploitable vulnerability. However, an updated version of AXS has been made available that allows users to:

These controls can be found towards the bottom of the "Customize" page in AXS v2.3.0.0042.

    "Open redirect in ax.pl"