Nishant Das Patnaik

 

# Exploit Title: Non Persistent XSS in Rediffmail.com Link Redirection CGI Script
# Date: 20th January 2010
# Author: Nishant Das Patnaik
# Link: http://www.rediffmail.com/cgi-bin/red.cgi?red=
# Version: NA
# Tested on: NA
# CVE : NA
# Code : The above mentioned link can be manipulated by appending some malicious encoded URL and can be used for phishing purposes. This link when sent to a unsuspecting Rediff user through his/her email may redirect to a fraudulent website used for phishing. This is possible because the redirection script doesn't use any URL tokens for each legitimate redirection link generated.

Screenshot: