Possible spoofing of $redir url with subdomain/domain

Emerica — Tue, 04 Mar 2014 19:22:11 -0500

github.com/Phorum/Core/blob/master/login.php [github.com]

Language: PHP
$redir_ok = FALSE;
                $check_urls = array();
                if (!empty($PHORUM[';login_redir_urls';])) {
                    $check_urls = explode(';,';, $PHORUM[';login_redir_urls';]);
                }
                $check_urls[] = ';http://localhost';;
                $check_urls[] = $PHORUM[';http_path';];
 
                foreach ($check_urls as $check_url)
                {
                     // The redir-url has to start with one of these URLs.
                     if (stripos($redir, $check_url) === 0) {
                            $redir_ok = TRUE;
                            break;
                     }
                }

Correct me if I'm wrong but a cleverly crafted url, any url with localhost* will return true.
IE: [localhost.phishingsite.com], [localhostxffsgaggesgssdsjadsajdasd.com]
This would appear to be an easy way for phishers to bypass the protection written.
Might be possible with the site url as well if the redirect url had multple subdomains. target.com.phishingsite.com
This should probably be marked for revision if it's current code.