First, we reviewed the code for all uses of redirects or forwards (called a transfer in .NET). Next, for each use, we identified if the target URL was included in any parameter values. In some cases it was, but there was validation in place to ensure that the value was a valid site.

Not giving up on the idea, we spidered the site to see if it generates any redirects (HTTP response codes 300-307, typically 302). We looked at the parameters supplied prior to the redirect to see if they appear to be a target URL or a piece of such a URL. That is where we found the bug. In one case we were able to change the target and observed that the redirect would allow us to redirect to any site of our choosing.

See, web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Now, without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages.

www.rockettheme.com/forum/index.php?f=92...50371&rb_v=viewtopic