[VIM] Open redirects - yes or no?

Steven M. Christey coley at linus.mitre.org
Fri May 2 16:29:22 UTC 2008


On Thu, 1 May 2008, security curmudgeon wrote:

> Either the app allows one click redirection to arbitrary sites w/o
> warning, or it gives you a warning that you are leaving the site and
> going to X in some fashion (logout page, leaving site splash page).

str0ke's excellent Google example notwithstanding, CVE-2008-2027 (RSA Auth
Agent) had a blacklist that prevented http/https URLs but forgot ftp URLs.
So clearly, in that case anyway, the vendor didn't want redirects to
external sites.

CVE-2008-0613 (XOOPS) and CVE-2007-6692 (Menalto Gallery) have vendor
patches, indicating they didn't intend to allow URLs.

So, I can see where it's a judgment call in some cases, but if the vendor
says it's an issue, then that would definitely prompt inclusion.

- Steve


More information about the VIM mailing list