[VIM] Open redirects - yes or no?
security curmudgeon
jericho at attrition.org
Wed Apr 30 19:10:09 UTC 2008
: So that this link or quite known application would fall under your
: category for a open redirect:
: http://www.google.com/search?hl=en&q=CVE-2002-0419+windows+2003&btnI=I%27m+Feeling+Lucky
:
: Which redirects you to Location:
: http://www.hitrust.com.hk/whitepaper/2.1/sample_report.pdf
:
: Or this:
: http://www.google.com/search?num=100&hl=en&safe=off&q=CVE-2008-0032++securiteam&btnI=I%27m+Feeling+Lucky
:
: Redirecting you to our site.
Google's primary function in life is to redirect you places. When you
visit a search engine, you know you are going to click and end up
elsewhere.
If I visit http://www.mybank.com/[anything], I expect to go to my bank
and no other site, regardless of how they redirect me (intentionally or
otherwise).
People have actually harped on Google for the redirect system many times.
Many folks did the same with tinyurl who made the 'preview' feature so
you can see where you are being redirected to in order to avoid 'exploit'
style URLs. That is the appropriate 'fix' to the issue I believe.
More information about the VIM
mailing list