[VIM] Open redirects - yes or no?
Steve Tornio
steve at vitriol.net
Thu May 1 22:14:48 UTC 2008
security curmudgeon wrote:
> : But, I've noticed that other VDBs aren't necessarily covering these.
>
> OSVDB typically adds these.
I would prefer we didn't.
>
> The phishing vector is what warrants inclusion in my mind. When doing
> application tests, we ding clients for this as well, especially financial
> groups.
In this same vein, an RTF document from the IRS with an embedded EXE
would be considered a software vulnerability. It's not. It's simply
having the functionality used in unexpected ways.
Redirects should only work for the same site, any external
> redirects should go to a logout/splash page indicating the user/customer
> is leaving the legitimate site. If that is in place, we don't ding the
> client at work, and we don't add it to OSVDB.
>
A subjective, case-by-case judgment. That's why I would prefer we
didn't count them.
Steve
osvdb.org
More information about the VIM
mailing list