> _Open_ URL redirectors are trivially prevented by any vaguely sentient > web developer as URL redirectors have NO legitimate use from outside > one's own site so should ALWAYS be implemented with Referer checking
There are decent solutions to lock down some classes of open redirectors (and replace others with direct linking), but "Referer" checking isn't one of them. It has several subtle problems that render it largely useless in real-world apps. There are also some classes of redirection / content proxying problems that you can't quite eliminate until you give up on offering certain functionality to users (e.g. page translation, cached document views, embeddable <iframe> gadgets) - and that's actually an interesting conceptual struggle. > Apparently Google's web developers are so stubbornly unable to absorb > this simple notion that it has become company policy that officially > Google does not care about open redirectors: > > > http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection I actually wrote that bit, and as far as I remember, it's not a half-assed attempt to justify incompetence ;-) We have a vulnerability reward program, and it's just about not paying $500 for reports of that vulnerability - along with not paying for many other minimal-risk problems such as path disclosure. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
