Some web applications contain redirections. If they are not properly handled, they could enable an attacker to redirect a victim to non-expected resources.

Let's take an example. Given a PHP page that has following code in it:

/***
 * index.php
 */
<?php
$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);
...
?>

A normal behavior could be an internal redirection to another page of the same application. Although, this poor code would enable an attacker to use:

http://legitimatesite.com/index.php?url=http://malicioussite.com/

You might also see: Remote File Inclusion (RFI)

Talk:CWE-SANS-Top-25/Insecure-interaction-between-components/CWE-601