My site was flagged during daily security scans as allowing an open URL redirect. I've found this issue relates to the Secure Login module. When it is enabled, open redirects are allowed; when disabled a 404 error is shown as expected.
Steps to repeat the issue:
1. Install Secure Login on site
2. Go to http://example.com/?q=http://google.com
3. You will be taken to Google (BAD!)
This is a potentially major security hole, especially for sites needing to conform to McAfee Secure PCI compliance.