Evil Home Stereo

While I wrote the previous post and did some googling I noticed that the ARD also has one of those pesky URL-redirectors. It is here. Try to attach any URL to the parameter called url, like this one. What’s the problem with redirectors on your website which allow people to redirect to arbitrary pages? There’s an article at Heise Security which explains it quite well (I don’t know whats worse, Google or a news site like the ARD).

So if you really think you need some automagic redirection like this (eg. to count outgoing clicks) please implement at least these easy rules:

• If its used by a form only (like in the Google case), make sure it works with POST only.
• If you want to use it in clickable links, check the Referer. Not every browser sets that header, in those cases show a static page which explains the user what is happening and offer him a link to actually exit.

Even more secure is to put every link ever used on your site in a database (you want to track the clicks anyway, right?) and add an id to the URL. Then people can only hop over your site when you posted that link yourself before.

Or just don’t do stuff like that.

Hmm… interesting, this link redirects to port 9185 on g4035180.swr.de. Not that this machine was accessible from the outside but if the rest of the CMS is written as bad as this part…