[UPDATE 2011-10-26] The story has developed.[/UPDATE]
Recently I was talking with somebody about the WEB.DE toolbar, and today I finally got around to look something up I was told then. And while I searched for the information on the download page for the WEB.DE toolbar, I stumbled over the download URL for the installer:
http://wa.ui-portal.de/webde/webde/s?produkte.browserdownload.link.download.ff7&bd_mc=undef_undef&ns_type=pdf&ns_url=http://dl.web.de/browser/firefox/WEB.DE_MFF7_Setup.exe
There I was magically attracted by the ns_url parameter, because it smelled like something where you could just pass any URL along. And indeed you can: http://wa.ui-portal.de/webde/webde/s?produkte.browserdownload.link.download.ff7&bd_mc=undef_undef&ns_type=pdf&ns_url=http://bundestrojaner.net/inhalt-bundestrojaner-gratis-download-3.html. That should redirect you to http://bundestrojaner.net/inhalt-bundestrojaner-gratis-download-3.html instead of http://dl.web.de/browser/firefox/WEB.DE_MFF7_Setup.exe.
This is a serious flaw, as it might allow an attacker to request a username and password combination from an unsuspecting user. With a harvest page designed to look like another WEB.DE page you should have a high return rate. This is, by the way, a flaw on the OWASP Top 10 (2010 edition).
I've informed somebody working for United Internet and expect the bug to be resolved pretty soon, hopefully it won't work anylonger when you read this.
