[VIM] Open redirects - yes or no?

security curmudgeon jericho at attrition.org
Thu May 1 22:51:51 UTC 2008

: > OSVDB typically adds these.
: I would prefer we didn't.

: > redirects should go to a logout/splash page indicating the user/customer is
: > leaving the legitimate site. If that is in place, we don't ding the client
: > at work, and we don't add it to OSVDB.
: A subjective, case-by-case judgment.  That's why I would prefer we 
: didn't count them.

How is that subjective?

Either the app allows one click redirection to arbitrary sites w/o 
warning, or it gives you a warning that you are leaving the site and 
going to X in some fashion (logout page, leaving site splash page).

More information about the VIM mailing list