Netto.se Open Redirection

`Background  
--------------  
Netto is a supermarket chain based in denmark with stores in Denmark,  
Poland, Germany and Sweden. The following vulnerability affects the  
swedish branch site although similar ones may affect others.  
  
Vulnerability  
--------------  
The vulnerability is present on the netto.se website redirector in  
http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect=   
the redirector will basically take anything except an space placed on  
the redirect field and put it as is in the src attribute of the frame  
field. This allows for different ways of attack including redirection to  
external sites and javascript injection through the onload parameter.  
  
Reasons for disclosure  
---------------------------  
The administrator of the site was contacted but didn't answer. Since the  
deadline passed this disclosure is now for public release.  
  
Also since this exploit could be abused to phish user information  
through fake promotional mails I decided to disclose it.  
  
Example  
----------  
This properly crafted URL should fool IE browsers too (although I can't  
ensure that) by reredirecting the user to the same redirector.  
  
It includes both a external site redirection (to willy:s one of netto's  
rivals) and a simple arbitrary javascript injection.  
  
http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect=http://www.netto.se/internet/nettos/menu/main.nsf/ForceFrame?readform&redirect=http://willys.se"onload="alert(unescape('My%252520security%252520sucks'));"></frameset><!--  
  
  
Gratz  
-------  
Gratz and salutations go to: Jupiter at DDTek, the Gentoo Hardened team  
the PaX team, spender, Dan Rosenberg and of course my CTF team mates at  
littlenuns  
  
`