[VIM] Open redirects - yes or no?
Steven M. Christey
coley at linus.mitre.org
Fri May 2 16:29:22 UTC 2008
On Thu, 1 May 2008, security curmudgeon wrote:
> Either the app allows one click redirection to arbitrary sites w/o
> warning, or it gives you a warning that you are leaving the site and
> going to X in some fashion (logout page, leaving site splash page).
str0ke's excellent Google example notwithstanding, CVE-2008-2027 (RSA Auth
Agent) had a blacklist that prevented http/https URLs but forgot ftp URLs.
So clearly, in that case anyway, the vendor didn't want redirects to
external sites.
CVE-2008-0613 (XOOPS) and CVE-2007-6692 (Menalto Gallery) have vendor
patches, indicating they didn't intend to allow URLs.
So, I can see where it's a judgment call in some cases, but if the vendor
says it's an issue, then that would definitely prompt inclusion.
- Steve
More information about the VIM
mailing list