Hi.
That seems to be a part of "open redirects problem" which was
discussed a lot on this list.
2008/7/15 MC Iglo <mc.iglo_at_googlemail.com>:
> Hi all,
>
> lately, I see more and more pages using get-parameters to store a
> return url after login.
> two famous examples are ebay and google.
>
> of course, this is nice for the user to get back to where he came from
> before logging in.
> but on the other hand side, i think thats an extremly high risk!
>
> in most cases, the URL is something like
> http://gooddomain.tld/login.php?arg1=bla&arg2=blaaaaaaa&arg3=%22alb%22&return=http%3A%2F%2Fgooddomain.tld%2Fadmin&morearg=morebla
>
>
>
> As you can see at the upper example, it is not very clear, what URL the
> user will be redirected to.
> Now lets obfuscate it a little bit more and replace the return path and you get
> http://gooddomain.tld/login.php?arg1=bla&arg2=blaaaaaaa&arg3=%22alb%22&return=%68%74%74%70%3a%2f%2f%62%75%67%67%65%6c%7a%2e%66%75%6e%70%69%63%2e%64%65%2f%67%70%6f%74%61%74%6f%2e%68%74%6d%6c&morearg=morebla
>
> (The decoded string is an example form - I notified them seperatley before)
>
> let's send this link to someone interested in their products or put it
> on a website/forum as a reply to a question. Even careful people might
> be tricked to click on this link and log in because they see
> 'http://gooddomain.tld/...'. and that IS the site, they want to go
> to.
> after they logged in successfully, the website redirects them to my
> malicious site, which says, the login was incorrect. of course, the
> user will not be distrustful beause he was sent to this 'view' by
> gooddomain.tld (he
> won't check the address bar for sure) and type in his data again to be
> sure, he made no typos and i store this data on my server
> i have successfully stolen his data and redirect him to the normal portal.
> he won't even notice it and thinks he made a typo at first try.
>
> in my opinion, this is extremely critical
> but hey... who cares? it's web 2.0...
>
> Regards
> MC.Iglo
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
> Methodologies & Tools for Web Application Security Assessment
> With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
>
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> -------------------------------------------------------------------------
>
>
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Jul 16 2008
Intro
