[VIM] Open redirects - yes or no?

Noam Rathaus noamr at beyondsecurity.com
Wed Apr 30 19:17:53 UTC 2008


On Wednesday 30 April 2008 22:10:09 security curmudgeon wrote:
> : So that this link or quite known application would fall under your
> : category for a open redirect:
> : http://www.google.com/search?hl=en&q=CVE-2002-0419+windows+2003&btnI=I%27
> :m+Feeling+Lucky
> :
> : Which redirects you to Location:
> : http://www.hitrust.com.hk/whitepaper/2.1/sample_report.pdf
> :
> : Or this:
> : http://www.google.com/search?num=100&hl=en&safe=off&q=CVE-2008-0032++secu
> :riteam&btnI=I%27m+Feeling+Lucky
> :
> : Redirecting you to our site.
> Google's primary function in life is to redirect you places. When you
> visit a search engine, you know you are going to click and end up
> elsewhere.
> If I visit http://www.mybank.com/[anything], I expect to go to my bank
> and no other site, regardless of how they redirect me (intentionally or
> otherwise).

But I didn't visit www.mybank.com, I visited - usually - redirect.php or 
login.php with a specific parameter called url= or redirect= ... :)

That is why I think the PHP is doing what it is asked for - redirecting you - 
the programmer decided to not be too strict on the URL - his choice - a bad 
one - but his choice to make.

Unlike SQL Injection, Code Injection, Cross Site Scripting, redirections are 
redirections even if they don't get you to where we think they should - i.e. 
never outside their site.

> People have actually harped on Google for the redirect system many times.
> Many folks did the same with tinyurl who made the 'preview' feature so
> you can see where you are being redirected to in order to avoid 'exploit'
> style URLs. That is the appropriate 'fix' to the issue I believe.

Noam Rathaus
noamr at beyondsecurity.com

"Know that you are safe."

Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007

More information about the VIM mailing list