Don Marti

Thu 01 Oct 2009 02:40:47 PM PDT

Bad redirect, bad, bad!

What do a large US city, a major university in the UK, and a news organization in Russia all have in common? All of their web sites are showing up in my comment spam, because they all have what Nilesh Kumar calls an Open Redirection Vulnerability all pointing at the same pharmaceutical spammers: newforces dot org. Cleaning up a spam run from these lowlife parasites right now.

Essentially the same as the goodbye script problem, these "open redirects" are scripts that take a URL as a parameter, and respond with an HTTP redirect to that URL. What makes them "open" is that they don't check the URL first, so they'll redirect users to anywhere. It's a way for the spammer to sneak through a URL blacklist, at least until the site running the open redirect gets on the URL blacklist and users start wondering why they can't get there any more.

If you have a script that does a redirect, please fix it. Give it a list of URLs that it will work for, and make it refuse to redirect elsewhere. (Just "die" will work.) These scripts aren't as big a problem as abandoned forums, but bigger than wiki spam, at least today.