Open redirection or URL redirection vulnerabilities occur when a web application takes user-controllable input and uses it to perform a redirection, directing the user’s browser to visit a different URL than the one requested (the original domain).
These security vulnerabilities regularly are of much less interest to an attacker than cross-site scripting, which can be used to perform a much wider range of malicious actions. URL redirection issues are primarily of use in phishing attacks in which an attacker seeks to induce a victim to visit a spoofed website and enter sensitive details.
A URL redirection vulnerability can give credibility to the attacker’s overtures to potential victims because it allows him to create a URL that points to the authentic website he is targeting. Therefore, this URL is more convincing, and anyone who visits it is redirected silently to a website that the attacker controls.
How does it work?
Open redirection vulnerability could be discovered in the website forms inputs for example as a return value after validation user credentials, or it might be in javascript codes .. etc
That mean for protection your script should properly filter users inputs.
Example :
http://vulnerable-site.com/?url=http://evil-website.com
http://vulnerable-site.com/login.php?error=http://evil-website.com
Hackers/Spammers could use this vulnerability to make advanced phishing attacks.