[VIM] Open redirects - yes or no?

Steve Tornio steve at vitriol.net
Thu May 1 22:14:48 UTC 2008

security curmudgeon wrote:
> : But, I've noticed that other VDBs aren't necessarily covering these.
> OSVDB typically adds these.

I would prefer we didn't.

> The phishing vector is what warrants inclusion in my mind. When doing 
> application tests, we ding clients for this as well, especially financial 
> groups. 

In this same vein, an RTF document from the IRS with an embedded EXE 
would be considered a software vulnerability.  It's not.  It's simply 
having the functionality used in unexpected ways.

Redirects should only work for the same site, any external
> redirects should go to a logout/splash page indicating the user/customer 
> is leaving the legitimate site. If that is in place, we don't ding the 
> client at work, and we don't add it to OSVDB.

A subjective, case-by-case judgment.  That's why I would prefer we 
didn't count them.


More information about the VIM mailing list