Windows Server 2003 Standard
A parameter has been identified that can be modified to redirect clients to a user controlled page. An attacker could potentially construct a URL that will redirect a victim to a site that they control. This type of attack is typical seen in phishing attacks where the user is presented with a valid link on the site (i.e. http://www.hackersafe.com/main.jsp?state=4&page=http://hackersafe-evilsite.com
) and hackersafe.com redirects the user to hackersafe-evilsite.com (The site the attacker controls). The fact that the server name in the modified link is identical to the original site helps the attacker by giving his phishing attempts a more reliable appearance.
I understand disabling FBA will resolve this, is there any other way?