[VIM] Open redirects - yes or no?

Steven M. Christey coley at mitre.org
Wed Apr 30 14:49:25 UTC 2008


CVE has been adding "open redirect" issues lately, where you have
something like:

  myapp.php?url=http://www.example.com/PHISHME


Typically, a vulnerable application will read the url argument and
construct a response that redirects the user to that URL.  The general
rationale is for the application to redirect a user to another part of
the site, e.g. if a login failed.

The typical implementations I've seen either use a Location: header or
a META-REFRESH.  CVE-2008-0981 and CVE-2008-0613 are recent examples.

But, I've noticed that other VDBs aren't necessarily covering these.

My rationale for inclusion in CVE is that open redirects are useful
for redirecting a user from a legitimate site to a malicious site
where the malicious site is either used for phishing or drive-by
exploitation.  I suspect that many implemented redirects would be
automatic, so in the drive-by example it's irrelevant if a cautious
user looks at the browser's address bar, as the malware probably would
have already implanted itself.  This usually is not intended by the
program serving up the URL, and so it's technically a security issue
because of the violation of the program's intended security policy.
At least that's my general reasoning.

The attack topology has things in common with reflected XSS
(attacker-to-user-who-clicks), which I think is generally treated as a
security issue even if it's typically user-assisted.  And I suspect
there might be some stored-XSS-style attacks too.

What do others think of this?

- Steve


More information about the VIM mailing list