[VIM] site redirects: vulnerability or no?

Chris Wysopal weld at vulnwatch.org
Mon Nov 14 12:18:31 EST 2005



On Sun, 13 Nov 2005, Sullo wrote:

> security curmudgeon wrote:
>
> > http://[target]/goodbye.php?http://arbitrary.moo/
> >
> > If you obscure the 'arbitrary.moo' by using encoding, IP address,
> > TinyURL or a number of other methods, you have what looks like a
> > legitimate link to a site that many people may click on w/o realizing
> > it. This is very handy and likely widely abused in phishing attacks,
> > which is the reason some people are disclosing them.
> >
> I don't think obfuscation is *required*, as most victims of phishing
> probably wouldn't notice anyway. Any URL long enough to push past the
> edge of the location field wouldn't raise an eyebrow.
>
> > But, is it a *vulnerability*?
> >
> I believe so.  I think the proper way to do this is to have a white-list
> of allowed redirects (or properly built regex's that don't over-match),
> and/or an intermediary page that tells the user they are going to a 3rd
> party site.
>
> I am interested to hear how others feel about these & how some of the
> other DBs are handling (or not).

Hi all. First Post.

I agree that this is a vulnerability.  Are you talking about putting
vulnerabile websites into the VDB or just software that implements this
redirect?  This is going to get more interesting over time as software
with APIs, etc.  moves to become a service such as maps.google.com. I
can't imagine putting every website that has this problem in the VDB.

-Chris


More information about the VIM mailing list