[VIM] site redirects: vulnerability or no?
Sullo
sullo at cirt.net
Sun Nov 13 17:41:29 EST 2005
security curmudgeon wrote:
> http://[target]/goodbye.php?http://arbitrary.moo/
>
> If you obscure the 'arbitrary.moo' by using encoding, IP address,
> TinyURL or a number of other methods, you have what looks like a
> legitimate link to a site that many people may click on w/o realizing
> it. This is very handy and likely widely abused in phishing attacks,
> which is the reason some people are disclosing them.
>
I don't think obfuscation is *required*, as most victims of phishing
probably wouldn't notice anyway. Any URL long enough to push past the
edge of the location field wouldn't raise an eyebrow.
> But, is it a *vulnerability*?
>
I believe so. I think the proper way to do this is to have a white-list
of allowed redirects (or properly built regex's that don't over-match),
and/or an intermediary page that tells the user they are going to a 3rd
party site.
I am interested to hear how others feel about these & how some of the
other DBs are handling (or not).
-Sullo
--
http://www.cirt.net/ | http://www.osvdb.org/
More information about the VIM
mailing list