[VIM] Open redirects - yes or no?
steve at vitriol.net
Thu May 1 22:59:19 UTC 2008
security curmudgeon wrote:
> : > OSVDB typically adds these.
> : I would prefer we didn't.
> : > redirects should go to a logout/splash page indicating the user/customer is
> : > leaving the legitimate site. If that is in place, we don't ding the client
> : > at work, and we don't add it to OSVDB.
> : A subjective, case-by-case judgment. That's why I would prefer we
> : didn't count them.
> How is that subjective?
> Either the app allows one click redirection to arbitrary sites w/o
> warning, or it gives you a warning that you are leaving the site and
> going to X in some fashion (logout page, leaving site splash page).
It's subjective in whether the site is supposed to warn you or not. The
two given examples are pretty easy - no for Google, and yes for banks.
If we're talking about a piece of off-the-shelf software that includes a
search engine, it would be up to the end user web site admin to
determine which behavior is appropriate. Since we only include
software, and not customized websites, this is why I think there isn't
much place in osvdb for this.
If the context decides whether the function is acceptable, then I don't
believe it can be objectively said to be a vulnerability.
More information about the VIM