[VIM] site redirects: vulnerability or no?
Stuart Moore
smoore at securityglobal.net
Mon Nov 14 02:42:01 EST 2005
Sometimes when faced with a toss-up decision, we will look at the
advertised purpose of the product or will consider what expectations a
reasonable administrator would have regarding the functionality.
Stuart
Sullo wrote:
> security curmudgeon wrote:
>
>
>>http://[target]/goodbye.php?http://arbitrary.moo/
>>
>>If you obscure the 'arbitrary.moo' by using encoding, IP address,
>>TinyURL or a number of other methods, you have what looks like a
>>legitimate link to a site that many people may click on w/o realizing
>>it. This is very handy and likely widely abused in phishing attacks,
>>which is the reason some people are disclosing them.
>>
>
> I don't think obfuscation is *required*, as most victims of phishing
> probably wouldn't notice anyway. Any URL long enough to push past the
> edge of the location field wouldn't raise an eyebrow.
>
>
>>But, is it a *vulnerability*?
>>
>
> I believe so. I think the proper way to do this is to have a white-list
> of allowed redirects (or properly built regex's that don't over-match),
> and/or an intermediary page that tells the user they are going to a 3rd
> party site.
>
> I am interested to hear how others feel about these & how some of the
> other DBs are handling (or not).
>
> -Sullo
>
>
More information about the VIM
mailing list