lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 7 Dec 2011 21:15:17 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: nick@...us-l.demon.co.uk
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Google open redirect

> _Open_ URL redirectors are trivially prevented by any vaguely sentient
> web developer as URL redirectors have NO legitimate use from outside
> one's own site so should ALWAYS be implemented with Referer checking

There are decent solutions to lock down some classes of open
redirectors (and replace others with direct linking), but "Referer"
checking isn't one of them. It has several subtle problems that render
it largely useless in real-world apps.

There are also some classes of redirection / content proxying problems
that you can't quite eliminate until you give up on offering certain
functionality to users (e.g. page translation, cached document views,
embeddable <iframe> gadgets) - and that's actually an interesting
conceptual struggle.

> Apparently Google's web developers are so stubbornly unable to absorb
> this simple notion that it has become company policy that officially
> Google does not care about open redirectors:
>
>   http://www.google.com/about/corporate/company/rewardprogram.html#url-redirection

I actually wrote that bit, and as far as I remember, it's not a
half-assed attempt to justify incompetence ;-)

We have a vulnerability reward program, and it's just about not paying
$500 for reports of that vulnerability - along with not paying for
many other minimal-risk problems such as path disclosure.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists