[VIM] Open redirects - yes or no?

security curmudgeon jericho at attrition.org
Wed Apr 30 19:10:09 UTC 2008


: So that this link or quite known application would fall under your 
: category for a open redirect: 
: http://www.google.com/search?hl=en&q=CVE-2002-0419+windows+2003&btnI=I%27m+Feeling+Lucky
: 
: Which redirects you to Location: 
: http://www.hitrust.com.hk/whitepaper/2.1/sample_report.pdf
: 
: Or this: 
: http://www.google.com/search?num=100&hl=en&safe=off&q=CVE-2008-0032++securiteam&btnI=I%27m+Feeling+Lucky
: 
: Redirecting you to our site.

Google's primary function in life is to redirect you places. When you 
visit a search engine, you know you are going to click and end up 
elsewhere.

If I visit http://www.mybank.com/[anything], I expect to go to my bank 
and no other site, regardless of how they redirect me (intentionally or 
otherwise).

People have actually harped on Google for the redirect system many times. 
Many folks did the same with tinyurl who made the 'preview' feature so 
you can see where you are being redirected to in order to avoid 'exploit' 
style URLs. That is the appropriate 'fix' to the issue I believe.


More information about the VIM mailing list