Wide-open redirects

7 views
Skip to first unread message

A.F...@ford-mason.co.uk

unread,
Nov 19, 2008, 9:15:19 AM11/19/08
to stopbadware
I used to use a RedirectRule on a couple of my websites to redirect to
external websites, e.g.:


A.F...@ford-mason.co.uk

unread,
Nov 19, 2008, 9:23:09 AM11/19/08
to stopbadware
I used to use an Apache RewriteRule on a couple of my websites to
redirect to external websites, e.g.:

RewriteRule /external/(.*) $1

This strips off the prefix "/external/" and redirects to whatever
follows. I used this to get a trace in the access log of outbound
links. What I had not considered is that it allows anyone to create
links that appear to be on my sites, but which redirect to other
(usually porn) sites... which got picked up by the "stopbadware"
program.

I had this feature on my site for almost a decade, and was initially
surprised when I found that it was abused. I suppose I could put a
RewriteCond around the rule, or maintain a list of offsite-links that
are allowed. The thing is that my site content is mirrored by sites
that I don't know about and having a link to "http://cronolog.org/
external/http://somewhere-else/..." meant that through the referrer
information I got some stats about what those other sites were.

Oh well, it was nice while it lasted.

Andrew Ford

A.F...@ford-mason.co.uk

unread,
Nov 19, 2008, 9:25:16 AM11/19/08
to stopbadware
ignore this message - I hit "post" accidentally before I'd finished
writing it.

On Nov 19, 2:15 pm, "AndrewWJF...@googlemail.com" <A.F...@ford-
Reply all
Reply to author
Forward
0 new messages