[VIM] site redirects: vulnerability or no?

Sullo sullo at cirt.net
Sun Nov 13 17:41:29 EST 2005

security curmudgeon wrote:

> http://[target]/goodbye.php?http://arbitrary.moo/
> If you obscure the 'arbitrary.moo' by using encoding, IP address,
> TinyURL or a number of other methods, you have what looks like a
> legitimate link to a site that many people may click on w/o realizing
> it. This is very handy and likely widely abused in phishing attacks,
> which is the reason some people are disclosing them.
I don't think obfuscation is *required*, as most victims of phishing
probably wouldn't notice anyway. Any URL long enough to push past the
edge of the location field wouldn't raise an eyebrow.

> But, is it a *vulnerability*?
I believe so.  I think the proper way to do this is to have a white-list
of allowed redirects (or properly built regex's that don't over-match),
and/or an intermediary page that tells the user they are going to a 3rd
party site.

I am interested to hear how others feel about these & how some of the
other DBs are handling (or not).



http://www.cirt.net/      |     http://www.osvdb.org/

More information about the VIM mailing list