Open redirect in ax.pl
Historically, the logging script ax.pl could be called with any URL as a parameter, and it would 1) log the visit and then 2) redirect the visitor to the final destination. This allowed for logging outbound links that visitors use to exit your website, as well as logging traffic to file downloads or PDFs.
The logging script ax.pl had no limits on the URLs to which it would redirect, allowing it to "just work" without pre-configuration on any website with any URL. As such, it operated as an "open redirect".
In 2015, some users were notified that the ax.pl open redirect was a security vulnerability (via automated website analysis tools). Fluid Dynamics believes that this is not an exploitable vulnerability. However, an updated version of AXS has been made available that allows users to:
disable ax.pl redirects entirely (ideal for those who've never used the feature)
maintain a whitelist of websites to which redirects are allowed (ideal for those with small number of unchanging links)
continue to act as an open redirect (ideal for those not at risk, and with huge numbers of existing links)
digitally sign redirect links (for big websites with a content management system)
See Digitally signed redirects
These controls can be found towards the bottom of the "Customize" page in AXS v2.3.0.0042.
"Open redirect in ax.pl" https://www.xav.com/scripts/axs/help/1515.html