[nycphp-talk] javascript calling php function
Rolan Yang
rolan at omnistep.com
Fri Feb 22 11:47:37 EST 2008
csnyder wrote:
> Right, you can't trust the referer if you fear scripted attacks.
>
> John, is that what you were talking about, or was it something more
> abstract and seo-related?
>
> I was picturing people using the open redirect to take advantage of
> your page rank by causing your site to link to theirs.
>
>
Your paranoia is well justified. Open redirects are exploited by
unsavory people in a number of ways. I came across a phishing email
recently posing as a fake "Paypal confirmation". In the page was a link
which appeared to point at aol.com (some 1/2 internet savvy people
glance at the url to see if it points to a "reputable" site before
clicking away on it). The aol.com link led to a well constructed
imitation of the Paypal login page which was intended to maliciously
steal accounts. Here is an example of the link:
http://www.aol.com/redir.adp?_e_t=ap&_a_v=2.0&_a_i=100124311x1116601028x1077500809&_url=http://www.nyphp.org
If you want to peek at a copy of the original phishing mail, check out
http://www.datawhorehouse.com/0day/paypalphish
The safer thing for Susan to do would probably be to put all the valid
redirect URL's in an array like:
redir.php:
<?php
$validURLS=array('
0=>'www.mysite.com',
1=>'www.yahoo.com',
2=>'www.nyphp.org',
3=>'www.php.net'
);
// some code to store hit in db logs goes here
header('Location: http://'.intval($_GET['r']));
?>
~Rolan
~Rolan
More information about the talk
mailing list