This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 197738 - Open redirect on netbeans.org newsletter
Summary: Open redirect on netbeans.org newsletter
Status: NEW
Alias: None
Product: www
Classification: Unclassified
Component: Web Content (show other bugs)
Version: 7.0.1
Hardware: PC Linux
: P2 normal (vote)
Assignee: Jan Pirek
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-04-14 12:02 UTC by akochnev
Modified: 2012-05-25 13:21 UTC (History)
0 users

See Also:
Issue Type: DEFECT
Exception Reporter:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description akochnev 2011-04-14 12:02:30 UTC
This is currently being used when the newsletters are published, the URL looks like this : 

http://netbeans.org/jump.html?url=http%3A%2F%2Fwww.troymaxventures.com%2F2011%2F04%2Fprogrammatically-working-with-databases.html&intcmp=925655

Obviously, the idea is for users to see that this is a item published on netbeans.org, but when they click on the link to be redirected to the target site. 

This open redirect can be used for phishing attacks for sending users to unsavory sites and make it look like it was all sanctioned by netbeans, e.g.: 


http://netbeans.org/jump.html?url=http%3A%2F%2Fwww.evil.org&intcmp=925655

would redirect the user to www.evil.org

More details on the subject at http://cwe.mitre.org/data/definitions/601.html and https://www.owasp.org/index.php/Open_redirect
Comment 1 RobertPattinson 2012-05-25 13:21:48 UTC
SPAM - Removed by Administrator