[VIM] site redirects: vulnerability or no?

Sullo sullo at cirt.net
Mon Nov 14 19:47:10 EST 2005


Chris Wysopal wrote:

>On Mon, 14 Nov 2005, security curmudgeon wrote:
>
>  
>
>>If a vuln, then the second question becomes.. one entry for the concept,
>>or one entry per package.
>>
>>And last, why is this a vulnerability in your eyes? One could argue that
>>the script is doing exactly what was intended, and the only vulnerability
>>is the person who blindly follows a link w/o realizing what they are
>>doing. This could also technically make 'TinyURL' a vulnerability since it
>>has the same outcome and even better concealment of the target URL.
>>    
>>
>
>To pull off a convincing phishing attack you need to put a few pieces
>together.  Having an URL that looks legit is just one part.  TinyURLs
>don't look legit.  But think about something that said click here for the
>latest microsoft download and the url was
>http://www.microsoft.com/something?www.sitename.com/foobar.exe
>I bet Microsoft would want to fix that if notified.
>
>Just because it is a vulnerability doesn't mean it makes sense to track it
>in the VDB.  At some point a vulnerability gets so minor no one really
>cares, such as many information disclosure issues. I think this one falls
>below the level of tracking.
>  
>
I think it bears at least one entry. Having been on the end of trying to convince developers to not allow arbitrary redirects because it *was* being used for phishing, having VDB entries that explained the issue, linked to other resources (news articles, "fixes", discussions, etc.) would have been really helpful.  Since it was in-house code, there was no vendor bulletin for me to point at.

But just today I was doing some code auditing (which is what they get for leaving a .php.bak file behind) and found that they tried to validate URLs, but incorrectly. So I could sneak a url like www.cnn.com.cirt.net (assuming www.cnn.com was allowed) and pass their "site validation" code... in this case I would call it an individual vuln because they have protection that failed.

I think that's my $.04 on the subject. 

-Sullo


-- 

http://www.cirt.net/      |     http://www.osvdb.org/



More information about the VIM mailing list