RMstudents Technology meets medical education

The security risk doesn't have anything to do with the 301 redirect. That's just how they're getting you to the new page. In theory there's a security risk whenever you use a GET request with unmasked urls, I think. Most of the following is somewhat speculative. If their server is configured well enough, this won't be a big problem, but if it's not it could be. GET requests place page variables in the url (anything after the ?, separated by &). For example, just by reading their new URL, I know the following variables are used to build the page:

c=RushUnivLevel1Page
cid=1142960797000
pagename=Rush%2FRushUnivLevel1Page%2FLevel_1_College_Home_Page

By placing the variables in a GET request, I can physically change any of them or leave one of them out. Just because they both give me server errors, doesn't mean that information's useless. Depending on how the underlying source of their page is written, a talented (and lucky) hacker could potentially introduce a variable to the string that could access their database. Part of the safety that a URL rewrite engine provides is that people viewing the page (potential hackers) don't know what variables are being defined or how they are being queried.

I may be going overkill, but I'll give a crude example, which I am somewhat making up, but regardless. Take Drupal's default "Clean URL" structure. Let's say Drupal's default request for viewing a post is: example.com/node?q=5 where 5 is the id number of a particular post. By showing people that, what if they changed it to: example.com/node?q=5&delete=true Would that be enough to delete the post? See where I'm going with this? Most well-designed sites would have settings to block that sort of thing from a regular viewer, but almost any site has potential vulnerabilities when you're able to manually input any variable you choose. POST requests are a little more secure but not much.

I'm done babbling. Feel free to ask questions.