In a multi-step form process, I am receiving a URL as a form field.

After processing, my PHP script redirects to that address using header("Location: ...");

Apart from the possibility of being misused as a redirect service for porn sites to generate harmless-looking links in E-Mails (Open Redirect, which can be helped by matching the URL to the local domain), are there any hacking / exploitation dangers to be aware of in this process?

One thing that came to mind was smuggling newlines into the URL, which might open the possibility of sending arbitrary headers to the client.

Comments

The term for this is Open redirect. See: owasp.org/index.php/Open_redirect

Written by Eric Butera

Thanks @Eric for introducing the term.

Written by Pekka

Thanks.

Written by Notinlist

No sorry, I don't know when it was changed. It was a year or two ago, if you aren't patched against header() attack then you have bigger problems on your hands because worse vulnerabilities where fixed since then.

Written by Rook

@Michael, I'm just curious for reference. Maybe I'll look it up and put it in here.

Written by Pekka

Accepted Answer

In old versions of PHP you had to worry about CRLF injection which is \r\n. This is a "header response splitting vulnerability." If you strip out these characters then you shouldn't have to worry. In the latest build of of PHP the header() function is safe, and will automatically take care of \r\n for you.

Written by Rook
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki